summaryrefslogtreecommitdiffstats
path: root/sys/netinet6
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet6')
-rw-r--r--sys/netinet6/ah_core.c15
-rw-r--r--sys/netinet6/ah_output.c9
2 files changed, 22 insertions, 2 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c
index 8e2c353..92481db 100644
--- a/sys/netinet6/ah_core.c
+++ b/sys/netinet6/ah_core.c
@@ -787,6 +787,19 @@ again:
p = mtod(n, u_char *);
i = sizeof(struct ip);
while (i < hlen) {
+ if (i + IPOPT_OPTVAL >= hlen) {
+ error = EINVAL;
+ goto fail;
+ }
+ if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+ p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+ i + IPOPT_OLEN < hlen)
+ ;
+ else {
+ error = EINVAL;
+ goto fail;
+ }
+
skip = 1;
switch (p[i + IPOPT_OPTVAL]) {
case IPOPT_EOL:
@@ -813,8 +826,6 @@ again:
"(type=%02x len=%02x)\n",
p[i + IPOPT_OPTVAL],
p[i + IPOPT_OLEN]));
- m_free(n);
- n = NULL;
error = EINVAL;
goto fail;
}
diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c
index 477c589..df9f4d5 100644
--- a/sys/netinet6/ah_output.c
+++ b/sys/netinet6/ah_output.c
@@ -521,6 +521,15 @@ ah4_finaldst(m)
q = (u_char *)(ip + 1);
i = 0;
while (i < optlen) {
+ if (i + IPOPT_OPTVAL >= optlen)
+ return NULL;
+ if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+ q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+ i + IPOPT_OLEN < optlen)
+ ;
+ else
+ return NULL;
+
switch (q[i + IPOPT_OPTVAL]) {
case IPOPT_EOL:
i = optlen; /* bye */
OpenPOWER on IntegriCloud