From d9971042018a7bfb00c326e1adbd9900d0e81288 Mon Sep 17 00:00:00 2001
From: maxim <maxim@FreeBSD.org>
Date: Mon, 21 Oct 2002 11:43:46 +0000
Subject: Fix LSRR option length check: it has to be less or equal remained
 header's length minus sizeof(struct ip).

MFC after:	1 week
---
 sbin/ping/ping.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'sbin/ping/ping.c')

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 99a4c0e..e77d582 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -957,7 +957,8 @@ pr_pack(buf, cc, from, tv)
 			j = cp[IPOPT_OLEN] - IPOPT_MINOFF + 1;
 			hlen -= 2;
 			cp += 2;
-			if (j >= INADDR_LEN && j <= hlen - INADDR_LEN) {
+			if (j >= INADDR_LEN &&
+			    j <= hlen - (int)sizeof(struct ip)) {
 				for (;;) {
 					bcopy(++cp, &ina.s_addr, INADDR_LEN);
 					if (ina.s_addr == 0)
-- 
cgit v1.1