From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
From: Catalin Enache <catalin.enache@windriver.com>
Date: Wed, 20 Apr 2016 15:17:18 +0300
Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv

Upstream-Status: Backport
CVE: CVE-2016-3947

Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
Committer: Amos Jeffries <squid3@treenet.co.nz
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 src/icmp/Icmp6.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index 794a51a..ee84b80 100644
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -256,7 +256,7 @@ Icmp6::Recv(void)
     #define ip6_hops    // HOPS!!!  (can it be true??)
 
         ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
 
     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
             ", ip6_plen=" << ip->ip6_plen <<
@@ -267,7 +267,6 @@ Icmp6::Recv(void)
     */
 
     icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
 
     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
 
@@ -292,7 +291,7 @@ Icmp6::Recv(void)
         return;
     }
 
-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
 
     preply.opcode = echo->opcode;
 
-- 
2.7.4