------------------------------------------------------------ revno: 12694 revision-id: squid3@treenet.co.nz-20160330141606-19rqzzip0grq9a77 parent: squid3@treenet.co.nz-20150828132515-nvi7c9u05ih9t77y author: Yuriy M. Kaminskiy committer: Amos Jeffries branch nick: 3.3 timestamp: Thu 2016-03-31 03:16:06 +1300 message: pinger: Fix buffer overflow in Icmp6::Recv ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20160330141606-19rqzzip0grq9a77 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 0d5d026b8b9e62ec11be84c9b2a81060c8b1ca02 # timestamp: 2016-03-30 14:50:53 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20150828132515-\ # nvi7c9u05ih9t77y # # Begin patch === modified file 'src/icmp/Icmp6.cc' --- src/icmp/Icmp6.cc 2014-09-15 05:07:44 +0000 +++ src/icmp/Icmp6.cc 2016-03-30 14:16:06 +0000 @@ -277,7 +277,7 @@ #define ip6_hops // HOPS!!! (can it be true??) ip = (struct ip6_hdr *) pkt; - pkt += sizeof(ip6_hdr); + NP: echo size needs to +sizeof(ip6_hdr); debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << ", ip6_plen=" << ip->ip6_plen << @@ -288,7 +288,6 @@ */ icmp6header = (struct icmp6_hdr *) pkt; - pkt += sizeof(icmp6_hdr); if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { @@ -313,7 +312,7 @@ return; } - echo = (icmpEchoData *) pkt; + echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); preply.opcode = echo->opcode;