diff options
author | itojun <itojun@FreeBSD.org> | 2000-05-10 01:25:33 +0000 |
---|---|---|
committer | itojun <itojun@FreeBSD.org> | 2000-05-10 01:25:33 +0000 |
commit | d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e (patch) | |
tree | 867007d5a997a595bdf669a473fce2ee59dc1ae7 /sys/netinet/ip_input.c | |
parent | 3407cffd5743913e8139db168932d47d674ba338 (diff) | |
download | FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.zip FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.tar.gz |
correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.
similar to recent fix to sys/netinet/ipf.c (by darren).
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 0d9273d..683a767 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1078,6 +1078,10 @@ ip_dooptions(m) if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) { + code = &cp[IPOPT_OLEN] - (u_char *)ip; + goto bad; + } optlen = cp[IPOPT_OLEN]; if (optlen <= 0 || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; |