be careful on mbuf overrun on ctlinput.

short icmp6 packet may be able to panic the kernel. sync with kame.
author: itojun <itojun@FreeBSD.org> 2000-10-23 07:11:01 +0000
committer: itojun <itojun@FreeBSD.org> 2000-10-23 07:11:01 +0000
commit: 4bd5d6f83f54e5831f1ee64d5968f7b2997da459 (patch)
tree: 196261ebbbc1d9600c322b3113121298062c58c9 /sys/netinet6
parent: b7dce386972136bc112305a345dd6f9c480ac91a (diff)
download: FreeBSD-src-4bd5d6f83f54e5831f1ee64d5968f7b2997da459.zip
FreeBSD-src-4bd5d6f83f54e5831f1ee64d5968f7b2997da459.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index beda1e9..bb0ae73 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$KAME: udp6_usrreq.c,v 1.11 2000/06/18 06:23:06 jinmei Exp $	*/
+/*	$KAME: udp6_usrreq.c,v 1.17 2000/10/13 17:46:21 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -450,6 +450,10 @@ udp6_ctlinput(cmd, sa, d)
 		if (IN6_IS_ADDR_LINKLOCAL(&s))
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
 
+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(uh))
+			return;
+
 		if (m->m_len < off + sizeof(uh)) {
 			/*
 			 * this should be rare case,
author	itojun <itojun@FreeBSD.org>	2000-10-23 07:11:01 +0000
committer	itojun <itojun@FreeBSD.org>	2000-10-23 07:11:01 +0000
commit	4bd5d6f83f54e5831f1ee64d5968f7b2997da459 (patch)
tree	196261ebbbc1d9600c322b3113121298062c58c9 /sys/netinet6
parent	b7dce386972136bc112305a345dd6f9c480ac91a (diff)
download	FreeBSD-src-4bd5d6f83f54e5831f1ee64d5968f7b2997da459.zip FreeBSD-src-4bd5d6f83f54e5831f1ee64d5968f7b2997da459.tar.gz