diff options
| author | pst <pst@FreeBSD.org> | 1996-03-13 08:02:45 +0000 |
|---|---|---|
| committer | pst <pst@FreeBSD.org> | 1996-03-13 08:02:45 +0000 |
| commit | 8c5e343745b777ff35be7f87474f61c336928c35 (patch) | |
| tree | 316c93dde2aab80dc840a0fd7f9f45cf03b6b55c | |
| parent | bb7008423ce89079d136e937165d68311e31c3c5 (diff) | |
| download | FreeBSD-src-8c5e343745b777ff35be7f87474f61c336928c35.zip FreeBSD-src-8c5e343745b777ff35be7f87474f61c336928c35.tar.gz | |
Fix ip option processing for raw IP sockets. This whole thing is a compromise
between ignoring options specified in the setsockopt call if IP_HDRINCL is set
(the UCB choice when VJ's code was brought in) vs allowing them (what everyone
else did, and what is assumed by programs everywhere...sigh).
Also perform some checking of the passed down packet to avoid running off
the end of a mbuf chain.
Reviewed by: fenner
| -rw-r--r-- | sys/netinet/ip_output.c | 5 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 14 |
2 files changed, 14 insertions, 5 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 0bec023..fc2d43d 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.30 1996/02/24 00:17:35 phk Exp $ + * $Id: ip_output.c,v 1.31 1996/03/11 15:13:21 davidg Exp $ */ #include <sys/param.h> @@ -473,6 +473,8 @@ bad: * Insert IP options into preformed packet. * Adjust IP destination as required for IP source routing, * as indicated by a non-zero in_addr at the start of the options. + * + * XXX This routine assumes that the packet has no options in place. */ static struct mbuf * ip_insertoptions(m, opt, phlen) @@ -511,6 +513,7 @@ ip_insertoptions(m, opt, phlen) ip = mtod(m, struct ip *); (void)memcpy(ip + 1, p->ipopt_list, (unsigned)optlen); *phlen = sizeof(struct ip) + optlen; + ip->ip_hl = *phlen >> 2; ip->ip_len += optlen; return (m); } diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 7a0e909..1c3b8e1 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ip.c,v 1.27 1996/02/24 13:38:28 phk Exp $ + * $Id: raw_ip.c,v 1.28 1996/03/11 15:13:24 davidg Exp $ */ #include <sys/param.h> @@ -166,17 +166,23 @@ rip_output(m, so, dst) ip->ip_src = inp->inp_laddr; ip->ip_dst.s_addr = dst; ip->ip_ttl = MAXTTL; - opts = inp->inp_options; } else { ip = mtod(m, struct ip *); + /* don't allow both user specified and setsockopt options, + and don't allow packet length sizes that will crash */ + if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options) || + (ip->ip_len > m->m_pkthdr.len)) { + m_freem(m); + return EINVAL; + } if (ip->ip_id == 0) ip->ip_id = htons(ip_id++); - opts = NULL; /* XXX prevent ip_output from overwriting header fields */ flags |= IP_RAWOUTPUT; ipstat.ips_rawout++; } - return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions)); + return (ip_output(m, inp->inp_options, &inp->inp_route, flags, + inp->inp_moptions)); } /* |
