MFC r290116:

Check the size of data available in mbuf before using it. PR: 202667
author: ae <ae@FreeBSD.org> 2015-11-04 10:42:51 +0000
committer: ae <ae@FreeBSD.org> 2015-11-04 10:42:51 +0000
commit: 375651c350e33dac78ce6464772181ba87277ba3 (patch)
tree: 3dbe50c3cb6d532a277677fdb9f7f9fe72457325 /sys/net
parent: 3fe8aea7a4cf3b7bac37386c8601bc1fcb38e431 (diff)
download: FreeBSD-src-375651c350e33dac78ce6464772181ba87277ba3.zip
FreeBSD-src-375651c350e33dac78ce6464772181ba87277ba3.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/net/if_gre.c b/sys/net/if_gre.c
index b7bcf34..17a324c 100644
--- a/sys/net/if_gre.c
+++ b/sys/net/if_gre.c
@@ -691,6 +691,14 @@ gre_input(struct mbuf **mp, int *offp, int proto)
 	KASSERT(sc != NULL, ("encap_getarg returned NULL"));
 
 	ifp = GRE2IFP(sc);
+	hlen = *offp + sizeof(struct grehdr) + 4 * sizeof(uint32_t);
+	if (m->m_pkthdr.len < hlen)
+		goto drop;
+	if (m->m_len < hlen) {
+		m = m_pullup(m, hlen);
+		if (m == NULL)
+			goto drop;
+	}
 	gh = (struct grehdr *)mtodo(m, *offp);
 	flags = ntohs(gh->gre_flags);
 	if (flags & ~GRE_FLAGS_MASK)
author	ae <ae@FreeBSD.org>	2015-11-04 10:42:51 +0000
committer	ae <ae@FreeBSD.org>	2015-11-04 10:42:51 +0000
commit	375651c350e33dac78ce6464772181ba87277ba3 (patch)
tree	3dbe50c3cb6d532a277677fdb9f7f9fe72457325 /sys/net
parent	3fe8aea7a4cf3b7bac37386c8601bc1fcb38e431 (diff)
download	FreeBSD-src-375651c350e33dac78ce6464772181ba87277ba3.zip FreeBSD-src-375651c350e33dac78ce6464772181ba87277ba3.tar.gz