diff options
| author | ae <ae@FreeBSD.org> | 2015-10-28 17:55:37 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2015-10-28 17:55:37 +0000 |
| commit | f27a84317646769b581a8ee903a983af9306e6ec (patch) | |
| tree | 7f06a75fac1ee68c6cc8ac864f64d78a73275513 | |
| parent | 78fa4cdb3ca68cc791d70aa1e7194666ce617958 (diff) | |
| download | FreeBSD-src-f27a84317646769b581a8ee903a983af9306e6ec.zip FreeBSD-src-f27a84317646769b581a8ee903a983af9306e6ec.tar.gz | |
Check the size of data available in mbuf, before using them.
PR: 202667
MFC after: 1 week
| -rw-r--r-- | sys/net/if_gre.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/net/if_gre.c b/sys/net/if_gre.c index ffd94d8..24ed971 100644 --- a/sys/net/if_gre.c +++ b/sys/net/if_gre.c @@ -691,6 +691,14 @@ gre_input(struct mbuf **mp, int *offp, int proto) KASSERT(sc != NULL, ("encap_getarg returned NULL")); ifp = GRE2IFP(sc); + hlen = *offp + sizeof(struct grehdr) + 4 * sizeof(uint32_t); + if (m->m_pkthdr.len < hlen) + goto drop; + if (m->m_len < hlen) { + m = m_pullup(m, hlen); + if (m == NULL) + goto drop; + } gh = (struct grehdr *)mtodo(m, *offp); flags = ntohs(gh->gre_flags); if (flags & ~GRE_FLAGS_MASK) |
