diff options
| author | glebius <glebius@FreeBSD.org> | 2005-02-11 23:07:22 +0000 |
|---|---|---|
| committer | glebius <glebius@FreeBSD.org> | 2005-02-11 23:07:22 +0000 |
| commit | b8a36d0c630d4c447ab50cc3cc8fcb5e349265b4 (patch) | |
| tree | 4c2939c0c87f2e1cf56b3c67724701fc640a2f4e /sys | |
| parent | ea01332a61f19e33979ce6e24013461d2ed70c2a (diff) | |
| download | FreeBSD-src-b8a36d0c630d4c447ab50cc3cc8fcb5e349265b4.zip FreeBSD-src-b8a36d0c630d4c447ab50cc3cc8fcb5e349265b4.tar.gz | |
Do not trust ipfw: check m_len always, not only after m_dup.
Submitted by: ru
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netgraph/ng_ipfw.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c index 89a0a77..b4b421b 100644 --- a/sys/netgraph/ng_ipfw.c +++ b/sys/netgraph/ng_ipfw.c @@ -294,10 +294,13 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) m_tag_prepend(m, &ngit->mt); } else - if ((m = m_dup(*m0, M_DONTWAIT)) == NULL || - (m = m_pullup(m, sizeof(struct ip))) == NULL) + if ((m = m_dup(*m0, M_DONTWAIT)) == NULL) return (ENOMEM); /* which is ignored */ + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) + return(EINVAL); + ip = mtod(m, struct ip *); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); |
