diff options
author | maxim <maxim@FreeBSD.org> | 2002-09-17 11:13:04 +0000 |
---|---|---|
committer | maxim <maxim@FreeBSD.org> | 2002-09-17 11:13:04 +0000 |
commit | 55d1f6389083fc3bf1e5d13143c42bf75897ee94 (patch) | |
tree | 5b973c398ca1c821656c41705d9c00239d34428d | |
parent | f4675ef21fd7d7eec78133165de10ea830ff721c (diff) | |
download | FreeBSD-src-55d1f6389083fc3bf1e5d13143c42bf75897ee94.zip FreeBSD-src-55d1f6389083fc3bf1e5d13143c42bf75897ee94.tar.gz |
In rare cases when there is no room for ip options ip_insertoptions()
can fail and corrupt a header length. Initialize len and check what
ip_insertoptions() returns.
Reviewed by: archie, silence on -net
MFC after: 5 days
-rw-r--r-- | sys/netinet/ip_output.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index bca780c..b4bea16 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -141,6 +141,7 @@ ip_output(m0, opt, ro, flags, imo) int rv; #endif /* PFIL_HOOKS */ + len = 0; args.eh = NULL; args.rule = NULL; args.next_hop = NULL; @@ -199,7 +200,8 @@ ip_output(m0, opt, ro, flags, imo) if (opt) { m = ip_insertoptions(m, opt, &len); - hlen = len; + if (len >= sizeof(struct ip)) + hlen = len; } ip = mtod(m, struct ip *); pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst; |