correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.

similar to recent fix to sys/netinet/ipf.c (by darren).
author: itojun <itojun@FreeBSD.org> 2000-05-10 01:25:33 +0000
committer: itojun <itojun@FreeBSD.org> 2000-05-10 01:25:33 +0000
commit: d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e (patch)
tree: 867007d5a997a595bdf669a473fce2ee59dc1ae7 /sys/netinet/ip_input.c
parent: 3407cffd5743913e8139db168932d47d674ba338 (diff)
download: FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.zip
FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 0d9273d..683a767 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1078,6 +1078,10 @@ ip_dooptions(m)
 		if (opt == IPOPT_NOP)
 			optlen = 1;
 		else {
+			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
+				code = &cp[IPOPT_OLEN] - (u_char *)ip;
+				goto bad;
+			}
 			optlen = cp[IPOPT_OLEN];
 			if (optlen <= 0 || optlen > cnt) {
 				code = &cp[IPOPT_OLEN] - (u_char *)ip;
author	itojun <itojun@FreeBSD.org>	2000-05-10 01:25:33 +0000
committer	itojun <itojun@FreeBSD.org>	2000-05-10 01:25:33 +0000
commit	d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e (patch)
tree	867007d5a997a595bdf669a473fce2ee59dc1ae7 /sys/netinet/ip_input.c
parent	3407cffd5743913e8139db168932d47d674ba338 (diff)
download	FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.zip FreeBSD-src-d6b56ece4b80b7f6c8fe34ed6d216be50c4d838e.tar.gz