race condition
CVE-2017-2671
The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.
https://www.openwall.com/lists/oss-security/2017/04/04/8
cvedetails
https://www.cvedetails.com/cve/CVE-2017-2671/
omits a certain check
CVE-2016-9919
The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.
cvedetail
https://nvd.nist.gov/vuln/detail/CVE-2016-9919
CVE-2018-4407 (apple)
bsd/netinet/ip_icmp.c:339
这段代码处于icmp_error函数中,注释中可以看到它是为了在收到损坏数据包时生成一个报错数据包,并通过ICMP协议返回。上文函数目的是将损坏数据包的报头复制到ICMP消息中,但报头如果过大的话,就会导致缓冲区mbuf出现问题。(mbuf是存储出入站数据包的数据类型)。在这部分代码中,n为入站数据包,m为出站ICMP数据包,而m在294-296行进行内存分配。
