diff options
| author | kris <kris@FreeBSD.org> | 2001-02-20 03:25:50 +0000 |
|---|---|---|
| committer | kris <kris@FreeBSD.org> | 2001-02-20 03:25:50 +0000 |
| commit | 40f8cb7717abff1f4480b170979d585ffa5f37c1 (patch) | |
| tree | efe3f729fd1963351e52c539190264eee0b7e4d0 /sys | |
| parent | aed10fa9a00dc1ec8c43ba79fe2664e765fd808f (diff) | |
| download | FreeBSD-src-40f8cb7717abff1f4480b170979d585ffa5f37c1.zip FreeBSD-src-40f8cb7717abff1f4480b170979d585ffa5f37c1.tar.gz | |
Correct IPv4 option processing.
Submitted by: itojun
Obtained from: KAME
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet6/ah_core.c | 15 | ||||
| -rw-r--r-- | sys/netinet6/ah_output.c | 9 |
2 files changed, 22 insertions, 2 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index 8e2c353..92481db 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -787,6 +787,19 @@ again: p = mtod(n, u_char *); i = sizeof(struct ip); while (i < hlen) { + if (i + IPOPT_OPTVAL >= hlen) { + error = EINVAL; + goto fail; + } + if (p[i + IPOPT_OPTVAL] == IPOPT_EOL || + p[i + IPOPT_OPTVAL] == IPOPT_NOP || + i + IPOPT_OLEN < hlen) + ; + else { + error = EINVAL; + goto fail; + } + skip = 1; switch (p[i + IPOPT_OPTVAL]) { case IPOPT_EOL: @@ -813,8 +826,6 @@ again: "(type=%02x len=%02x)\n", p[i + IPOPT_OPTVAL], p[i + IPOPT_OLEN])); - m_free(n); - n = NULL; error = EINVAL; goto fail; } diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c index 477c589..df9f4d5 100644 --- a/sys/netinet6/ah_output.c +++ b/sys/netinet6/ah_output.c @@ -521,6 +521,15 @@ ah4_finaldst(m) q = (u_char *)(ip + 1); i = 0; while (i < optlen) { + if (i + IPOPT_OPTVAL >= optlen) + return NULL; + if (q[i + IPOPT_OPTVAL] == IPOPT_EOL || + q[i + IPOPT_OPTVAL] == IPOPT_NOP || + i + IPOPT_OLEN < optlen) + ; + else + return NULL; + switch (q[i + IPOPT_OPTVAL]) { case IPOPT_EOL: i = optlen; /* bye */ |
