2 files changed, 12 insertions, 3 deletions

diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c
index 99b1dcf..5a92fae 100644
--- a/sys/net/if_vlan.c
+++ b/sys/net/if_vlan.c
@@ -394,7 +394,7 @@ vlan_input(struct ifnet *ifp, struct mbuf *m)
 		 * Packet is tagged, m contains a normal
 		 * Ethernet frame; the tag is stored out-of-band.
 		 */
-		tag = *(u_int*)(mtag+1);
+		tag = EVL_VLANOFTAG(*(u_int*)(mtag+1));
 		m_tag_delete(m, mtag);
 	} else {
 		switch (ifp->if_type) {
@@ -409,7 +409,7 @@ vlan_input(struct ifnet *ifp, struct mbuf *m)
 				("vlan_input: bad encapsulated protocols (%u)",
 				 ntohs(evl->evl_encap_proto)));
 
-			tag = ntohs(evl->evl_tag);
+			tag = EVL_VLANOFTAG(ntohs(evl->evl_tag));
 
 			/*
 			 * Restore the original ethertype.  We'll remove
@@ -737,6 +737,14 @@ vlan_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 			error = ENOENT;
 			break;
 		}
+		/*
+		 * Don't let the caller set up a VLAN tag with
+		 * anything except VLID bits.
+		 */
+		if (vlr.vlr_tag & ~EVL_VLID_MASK) {
+			error = EINVAL;
+			break;
+		}
 		error = vlan_config(ifv, p);
 		if (error)
 			break;
diff --git a/sys/net/if_vlan_var.h b/sys/net/if_vlan_var.h
index ff656a6..409db00 100644
--- a/sys/net/if_vlan_var.h
+++ b/sys/net/if_vlan_var.h
@@ -40,7 +40,8 @@ struct	ether_vlan_header {
 	u_int16_t evl_proto;
 };
 
-#define	EVL_VLANOFTAG(tag) ((tag) & 4095)
+#define EVL_VLID_MASK	0x0FFF
+#define	EVL_VLANOFTAG(tag) ((tag) & EVL_VLID_MASK)
 #define	EVL_PRIOFTAG(tag) (((tag) >> 13) & 7)
 
 /* sysctl(3) tags, for compatibility purposes */