- always check for optlen overrun.

- panic if NULL is passed to ah_sumsiz (as we never do it, and callers do not properly check negative returns). Obtained from: KAME
author: ume <ume@FreeBSD.org> 2003-10-12 11:18:04 +0000
committer: ume <ume@FreeBSD.org> 2003-10-12 11:18:04 +0000
commit: efae2cbb66643c1b8e0794e29d308b83930b8e64 (patch)
tree: d3576e6bb734aecd98e0291341b75cf5e38995ee /sys/netinet6/ah_core.c
parent: 10cc9981e24923b46f694ef6fd0bc61dd2cf82bc (diff)
download: FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.zip
FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.tar.gz
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c
index e576248..e0274ab 100644
--- a/sys/netinet6/ah_core.c
+++ b/sys/netinet6/ah_core.c
@@ -220,7 +220,7 @@ ah_sumsiz_1216(sav)
 	struct secasvar *sav;
 {
 	if (!sav)
-		return -1;
+		panic("ah_sumsiz_1216: null pointer is passed");
 	if (sav->flags & SADB_X_EXT_OLD)
 		return 16;
 	else
@@ -232,7 +232,7 @@ ah_sumsiz_zero(sav)
 	struct secasvar *sav;
 {
 	if (!sav)
-		return -1;
+		panic("ah_sumsiz_zero: null pointer is passed");
 	return 0;
 }
 
@@ -1571,11 +1571,18 @@ ah6_calccksum(m, ahdat, len, algo, sav)
 					goto fail;
 				}
 				optlen = optp[1] + 2;
+			}
 
-				if (optp[0] & IP6OPT_MUTABLE)
-					bzero(optp + 2, optlen - 2);
+			if (optp + optlen > optend) {
+				error = EINVAL;
+				m_free(n);
+				n = NULL;
+				goto fail;
 			}
 
+			if (optp[0] & IP6OPT_MUTABLE)
+				bzero(optp + 2, optlen - 2);
+
 			optp += optlen;
 		}
author	ume <ume@FreeBSD.org>	2003-10-12 11:18:04 +0000
committer	ume <ume@FreeBSD.org>	2003-10-12 11:18:04 +0000
commit	efae2cbb66643c1b8e0794e29d308b83930b8e64 (patch)
tree	d3576e6bb734aecd98e0291341b75cf5e38995ee /sys/netinet6/ah_core.c
parent	10cc9981e24923b46f694ef6fd0bc61dd2cf82bc (diff)
download	FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.zip FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.tar.gz