[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.13 (requested by itojun):

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/516fdff5adbf
branches:  netbsd-1-5
changeset: 490743:516fdff5adbf
user:      he <he%NetBSD.org@localhost>
date:      Mon Feb 26 21:55:45 2001 +0000

description:
Pull up revision 1.13 (requested by itojun):
  Correct IPv4 option header chasing.  The old code may overrun
  the buffer if the option header is truncated.

diffstat:

 sys/netinet6/ah_output.c |  11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diffs (25 lines):

diff -r 09279f4da2a3 -r 516fdff5adbf sys/netinet6/ah_output.c
--- a/sys/netinet6/ah_output.c  Mon Feb 26 21:53:48 2001 +0000
+++ b/sys/netinet6/ah_output.c  Mon Feb 26 21:55:45 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ah_output.c,v 1.9.2.2 2000/10/02 23:41:31 itojun Exp $ */
+/*     $NetBSD: ah_output.c,v 1.9.2.3 2001/02/26 21:55:45 he Exp $     */
 /*     $KAME: ah_output.c,v 1.23 2000/07/15 16:07:48 itojun Exp $      */
 
 /*
@@ -533,6 +533,15 @@
        q = (u_char *)(ip + 1);
        i = 0;
        while (i < optlen) {
+               if (i + IPOPT_OPTVAL >= optlen)
+                       return NULL;
+               if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+                   q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+                   i + IPOPT_OLEN < optlen)
+                       ;
+               else
+                       return NULL;
+
                switch (q[i + IPOPT_OPTVAL]) {
                case IPOPT_EOL:
                        i = optlen;     /* bye */