diff options
| author | fenner <fenner@FreeBSD.org> | 1997-05-22 20:52:56 +0000 |
|---|---|---|
| committer | fenner <fenner@FreeBSD.org> | 1997-05-22 20:52:56 +0000 |
| commit | 62468b6b29a79f5ffe5e3005fac1ead30f8d46ac (patch) | |
| tree | 0845206f97c226b83221381de3fb47bfd1305f13 /sys/netinet/raw_ip.c | |
| parent | fe603e69b398e37f7857c6fe16489d7969a9a25f (diff) | |
| download | FreeBSD-src-62468b6b29a79f5ffe5e3005fac1ead30f8d46ac.zip FreeBSD-src-62468b6b29a79f5ffe5e3005fac1ead30f8d46ac.tar.gz | |
Disallow writing raw IP packets shorter than the IP header.
Diffstat (limited to 'sys/netinet/raw_ip.c')
| -rw-r--r-- | sys/netinet/raw_ip.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 1320913..51594c7 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ip.c,v 1.44 1997/04/03 05:14:43 davidg Exp $ + * $Id: raw_ip.c,v 1.45 1997/04/27 20:01:10 wollman Exp $ */ #include <sys/param.h> @@ -203,7 +203,8 @@ rip_output(m, so, dst) and don't allow packet length sizes that will crash */ if (((IP_VHL_HL(ip->ip_vhl) != (sizeof (*ip) >> 2)) && inp->inp_options) - || (ip->ip_len > m->m_pkthdr.len)) { + || (ip->ip_len > m->m_pkthdr.len) + || (ip->ip_len < (IP_VHL_HL(ip->ip_vhl) << 2))) { m_freem(m); return EINVAL; } |
