Fix bug in dealing with "hlen == 1 and opt > 1"

author: darrenr <darrenr@FreeBSD.org> 2000-05-09 23:35:24 +0000
committer: darrenr <darrenr@FreeBSD.org> 2000-05-09 23:35:24 +0000
commit: 4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5 (patch)
tree: 4f2e4f156fac8dd466e6f4409a584a86cd8c0188 /sys/contrib/ipfilter
parent: dc13001fde15e358f09fdb416241118abc5e0985 (diff)
download: FreeBSD-src-4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5.zip
FreeBSD-src-4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 3a5444a..bb53f49 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -285,13 +285,19 @@ getports:
 	}
 
 
-	for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen; ) {
+	for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
 		opt = *s;
 		if (opt == '\0')
 			break;
-		ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
-		if (opt > 1 && (ol < 2 || ol > hlen))
-			break;
+		else if (opt == IPOPT_NOP)
+			ol = 1;
+		else {
+			if (hlen < 2)
+				break;
+			ol = (int)*(s + 1);
+			if (ol < 2 || ol > hlen)
+				break;
+		}
 		for (i = 9, mv = 4; mv >= 0; ) {
 			op = ipopts + i;
 			if (opt == (u_char)op->ol_val) {
author	darrenr <darrenr@FreeBSD.org>	2000-05-09 23:35:24 +0000
committer	darrenr <darrenr@FreeBSD.org>	2000-05-09 23:35:24 +0000
commit	4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5 (patch)
tree	4f2e4f156fac8dd466e6f4409a584a86cd8c0188 /sys/contrib/ipfilter
parent	dc13001fde15e358f09fdb416241118abc5e0985 (diff)
download	FreeBSD-src-4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5.zip FreeBSD-src-4e731bbb1b9153f6c20b7f97e0a3c29d5a9fc1b5.tar.gz