From f13b6fe378f977bb101bdefab5288f0ba5ebf18b Mon Sep 17 00:00:00 2001 From: kris Date: Mon, 26 Feb 2001 03:41:13 +0000 Subject: More IP option length validation. Includes the following revisions from KAME (two of these were actually committed previously but the CVS revisions weren't documented): 1.40 kame/kame/sys/netinet6/ah_core.c (committed in previous rev) 1.41 kame/kame/sys/netinet6/ah_core.c 1.28 kame/kame/sys/netinet6/ah_output.c (committed in previous rev) 1.29 kame/kame/sys/netinet6/ah_output.c 1.30 kame/kame/sys/netinet6/ah_output.c 1.129 kame/kame/sys/netinet6/nd6.c 1.130 kame/kame/sys/netinet6/nd6.c 1.24 kame/kame/sys/netinet6/dest6.c 1.25 kame/kame/sys/netinet6/dest6.c Obtained from: KAME --- sys/netinet6/nd6.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'sys/netinet6/nd6.c') diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 4298ce2..a4ddfa1 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -274,6 +274,12 @@ nd6_option(ndopts) nd_opt = ndopts->nd_opts_search; + /* make sure nd_opt_len is inside the buffer */ + if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) { + bzero(ndopts, sizeof(*ndopts)); + return NULL; + } + olen = nd_opt->nd_opt_len << 3; if (olen == 0) { /* @@ -285,7 +291,12 @@ nd6_option(ndopts) } ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen); - if (!(ndopts->nd_opts_search < ndopts->nd_opts_last)) { + if (ndopts->nd_opts_search > ndopts->nd_opts_last) { + /* option overruns the end of buffer, invalid */ + bzero(ndopts, sizeof(*ndopts)); + return NULL; + } else if (ndopts->nd_opts_search == ndopts->nd_opts_last) { + /* reached the end of options chain */ ndopts->nd_opts_done = 1; ndopts->nd_opts_search = NULL; } -- cgit v1.1