[geogriffin]

Pretty sure it was introduced here: https://github.com/apple/darwin-xnu/commit/c10988c130af09087...

In this commit a bunch of code was copy-pasted from BSD into ip_icmp.c in icmp_error() to quote IP packet data in icmp error responses. Unfortunately they forgot to copy a line from the BSD source which would prevent the overflow:

  icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN);

m is allocated with a fixed-length buffer (mbuf), which means without that line above we can overrun it:

  m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);

Copy-paste programming in core networking code...

[sigjuice]

> Copy-paste programming in core networking code...

There is nothing special about core networking code.

[pjmlp]

Other than being highly security sensitive, written in a language without any regard for security.

[geogriffin]

My thought specifically was that "core networking code" is code that handles untrusted, unsolicited data potentially from the entire world, written in C, with special performance requirements that gives programmers a license to eliminate redundant bounds checks wherever possible..