netbsd-bugs: kern/6941: ip_len can be smaller than ip

Subject: kern/6941: ip_len can be smaller than ip_hl<<2
To: None <gnats-bugs@gnats.netbsd.org>
From: None <proff@suburbia.net>
List: netbsd-bugs
Date: 02/04/1999 15:26:35

>Number:         6941
>Category:       kern
>Synopsis:       ip_len can be smaller than ip_hl<<2
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb  4 07:35:01 1999
>Last-Modified:
>Originator:     Julian Assange
>Organization:
	
>Release:        <NetBSD-current source date> 19990113
>Environment:
	
System: NetBSD suburbia.net 1.3I NetBSD 1.3I (SUBURBIA.PROF) #21: Mon Feb 1 05:57:36 EST 1999 proff@yoshi.iq.org:/usr/src/sys/arch/i386/compile/SUBURBIA.PROF i386


>Description:
in both ipintr(), and ipflow_fastforward() ip_len is not checked vis a vis
ip_hl<<2 for consistency. this permits ipflow_fastforward to forward bogus
packets, and may cause panics in ipintr and above (serveral calculations
go negative).
	
>How-To-Repeat:
	
>Fix:
test for ip->ip_len < ip->ip_hl and drop packet accordingly
	
>Audit-Trail:
>Unformatted: