Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.22 (via diff, requested...
details: https://anonhg.NetBSD.org/src/rev/09279f4da2a3
branches: netbsd-1-5
changeset: 490742:09279f4da2a3
user: he <he%NetBSD.org@localhost>
date: Mon Feb 26 21:53:48 2001 +0000
description:
Pull up revision 1.22 (via diff, requested by itojun):
Correct IPv4 option header chasing. The old code may overrun
the buffer if the option header is truncated.
diffstat:
sys/netinet6/ah_core.c | 17 ++++++++++++++---
1 files changed, 14 insertions(+), 3 deletions(-)
diffs (38 lines):
diff -r 32a12ba08001 -r 09279f4da2a3 sys/netinet6/ah_core.c
--- a/sys/netinet6/ah_core.c Mon Feb 26 21:50:56 2001 +0000
+++ b/sys/netinet6/ah_core.c Mon Feb 26 21:53:48 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ah_core.c,v 1.19.2.1 2000/07/25 04:24:46 itojun Exp $ */
+/* $NetBSD: ah_core.c,v 1.19.2.2 2001/02/26 21:53:48 he Exp $ */
/* $KAME: ah_core.c,v 1.36 2000/07/15 16:07:48 itojun Exp $ */
/*
@@ -833,6 +833,19 @@
p = mtod(n, u_char *);
i = sizeof(struct ip);
while (i < hlen) {
+ if (i + IPOPT_OPTVAL >= hlen) {
+ error = EINVAL;
+ goto fail;
+ }
+ if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+ p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+ i + IPOPT_OLEN < hlen)
+ ;
+ else {
+ error = EINVAL;
+ goto fail;
+ }
+
skip = 1;
switch (p[i + IPOPT_OPTVAL]) {
case IPOPT_EOL:
@@ -859,8 +872,6 @@
"(type=%02x len=%02x)\n",
p[i + IPOPT_OPTVAL],
p[i + IPOPT_OLEN]));
- m_free(n);
- n = NULL;
error = EINVAL;
goto fail;
}
Home |
Main Index |
Thread Index |
Old Index