diff options
author | ume <ume@FreeBSD.org> | 2003-10-12 11:18:04 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2003-10-12 11:18:04 +0000 |
commit | efae2cbb66643c1b8e0794e29d308b83930b8e64 (patch) | |
tree | d3576e6bb734aecd98e0291341b75cf5e38995ee /sys/netinet6/ah_core.c | |
parent | 10cc9981e24923b46f694ef6fd0bc61dd2cf82bc (diff) | |
download | FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.zip FreeBSD-src-efae2cbb66643c1b8e0794e29d308b83930b8e64.tar.gz |
- always check for optlen overrun.
- panic if NULL is passed to ah_sumsiz (as we never do it,
and callers do not properly check negative returns).
Obtained from: KAME
Diffstat (limited to 'sys/netinet6/ah_core.c')
-rw-r--r-- | sys/netinet6/ah_core.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index e576248..e0274ab 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -220,7 +220,7 @@ ah_sumsiz_1216(sav) struct secasvar *sav; { if (!sav) - return -1; + panic("ah_sumsiz_1216: null pointer is passed"); if (sav->flags & SADB_X_EXT_OLD) return 16; else @@ -232,7 +232,7 @@ ah_sumsiz_zero(sav) struct secasvar *sav; { if (!sav) - return -1; + panic("ah_sumsiz_zero: null pointer is passed"); return 0; } @@ -1571,11 +1571,18 @@ ah6_calccksum(m, ahdat, len, algo, sav) goto fail; } optlen = optp[1] + 2; + } - if (optp[0] & IP6OPT_MUTABLE) - bzero(optp + 2, optlen - 2); + if (optp + optlen > optend) { + error = EINVAL; + m_free(n); + n = NULL; + goto fail; } + if (optp[0] & IP6OPT_MUTABLE) + bzero(optp + 2, optlen - 2); + optp += optlen; } |