From d94fab6e66bc1f43b12c01759d3baaca6e0df5d2 Mon Sep 17 00:00:00 2001 From: jlemon Date: Fri, 2 Jun 2000 20:18:38 +0000 Subject: Add boundary checks against IP options. Obtained from: OpenBSD --- sys/netinet/ip_icmp.c | 5 ++++- sys/netinet/ip_input.c | 6 +++++- sys/netinet/ip_output.c | 4 +++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index c4ea24c..58a4915 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -654,8 +654,11 @@ icmp_reflect(m) if (opt == IPOPT_NOP) len = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + break; len = cp[IPOPT_OLEN]; - if (len <= 0 || len > cnt) + if (len < IPOPT_OLEN + sizeof(*cp) || + len > cnt) break; } /* diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 763674c..fc355af 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1083,7 +1083,7 @@ ip_dooptions(m) goto bad; } optlen = cp[IPOPT_OLEN]; - if (optlen <= 0 || optlen > cnt) { + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } @@ -1189,6 +1189,10 @@ nosourcerouting: break; case IPOPT_RR: + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { + code = &cp[IPOPT_OFFSET] - (u_char *)ip; + goto bad; + } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 8faed58..2536b63 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1382,8 +1382,10 @@ ip_pcbopts(optname, pcbopt, m) if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + goto bad; optlen = cp[IPOPT_OLEN]; - if (optlen <= IPOPT_OLEN || optlen > cnt) + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) goto bad; } switch (opt) { -- cgit v1.1