Fix ip option processing for raw IP sockets. This whole thing is a compromise

between ignoring options specified in the setsockopt call if IP_HDRINCL is set
(the UCB choice when VJ's code was brought in) vs allowing them (what everyone
else did, and what is assumed by programs everywhere...sigh).

Also perform some checking of the passed down packet to avoid running off
the end of a mbuf chain.

Reviewed by:	fenner

1 files changed, 10 insertions, 4 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 7a0e909..1c3b8e1 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ip.c,v 1.27 1996/02/24 13:38:28 phk Exp $
+ *	$Id: raw_ip.c,v 1.28 1996/03/11 15:13:24 davidg Exp $
  */
 
 #include <sys/param.h>
@@ -166,17 +166,23 @@ rip_output(m, so, dst)
 		ip->ip_src = inp->inp_laddr;
 		ip->ip_dst.s_addr = dst;
 		ip->ip_ttl = MAXTTL;
-		opts = inp->inp_options;
 	} else {
 		ip = mtod(m, struct ip *);
+		/* don't allow both user specified and setsockopt options,
+		   and don't allow packet length sizes that will crash */
+		if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options) ||
+		     (ip->ip_len > m->m_pkthdr.len)) {
+			m_freem(m);
+			return EINVAL;
+		}
 		if (ip->ip_id == 0)
 			ip->ip_id = htons(ip_id++);
-		opts = NULL;
 		/* XXX prevent ip_output from overwriting header fields */
 		flags |= IP_RAWOUTPUT;
 		ipstat.ips_rawout++;
 	}
-	return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions));
+	return (ip_output(m, inp->inp_options, &inp->inp_route, flags,
+			  inp->inp_moptions));
 }
 
 /*