[src/netbsd-1-6]: src/usr.sbin/rtadvd Pull up revision 1.27 (requested by ito...

[tron <tron%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/4baacda20850
branches:  netbsd-1-6
changeset: 530253:4baacda20850
user:      tron <tron%NetBSD.org@localhost>
date:      Mon Jun 02 15:21:03 2003 +0000

description:
Pull up revision 1.27 (requested by itojun in ticket #1212):
add missing ND option length validation.  from kame

diffstat:

 usr.sbin/rtadvd/rtadvd.c |  27 +++++++++++++++++++++++++--
 1 files changed, 25 insertions(+), 2 deletions(-)

diffs (59 lines):

diff -r 5c0c4398fe4f -r 4baacda20850 usr.sbin/rtadvd/rtadvd.c
--- a/usr.sbin/rtadvd/rtadvd.c  Mon Jun 02 15:15:33 2003 +0000
+++ b/usr.sbin/rtadvd/rtadvd.c  Mon Jun 02 15:21:03 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: rtadvd.c,v 1.17 2002/05/21 23:35:18 itojun Exp $       */
+/*     $NetBSD: rtadvd.c,v 1.17.2.1 2003/06/02 15:21:03 tron Exp $     */
 /*     $KAME: rtadvd.c,v 1.63 2002/05/21 23:33:01 itojun Exp $ */
 
 /*
@@ -1201,14 +1201,23 @@
        int optlen = 0;
 
        for (; limit > 0; limit -= optlen) {
+               if (limit < sizeof(struct nd_opt_hdr *)) {
+                       syslog(LOG_INFO, "<%s> short option header", __func__);
+                       goto bad;
+               }
+
                hdr = (struct nd_opt_hdr *)((caddr_t)hdr + optlen);
-               optlen = hdr->nd_opt_len << 3;
                if (hdr->nd_opt_len == 0) {
                        syslog(LOG_ERR,
                            "<%s> bad ND option length(0) (type = %d)",
                            __FUNCTION__, hdr->nd_opt_type);
                        goto bad;
                }
+               optlen = hdr->nd_opt_len << 3;
+               if (optlen > limit) {
+                       syslog(LOG_INFO, "<%s> short option", __func__);
+                       goto bad;
+               }
 
 #ifdef MIP6
                if (hdr->nd_opt_type > ND_OPT_HOMEAGENT_INFO)
@@ -1227,10 +1236,24 @@
                        continue;
                }
 
+               /*
+                * Option length check.  Do it here for all fixed-length
+                * options.
+                */
+               if ((hdr->nd_opt_type == ND_OPT_MTU &&
+                   (optlen != sizeof(struct nd_opt_mtu))) ||
+                   ((hdr->nd_opt_type == ND_OPT_PREFIX_INFORMATION &&
+                   optlen != sizeof(struct nd_opt_prefix_info)))) {
+                       syslog(LOG_INFO, "<%s> invalid option length",
+                           __func__);
+                       continue;
+               }
+
                switch (hdr->nd_opt_type) {
                case ND_OPT_SOURCE_LINKADDR:
                case ND_OPT_TARGET_LINKADDR:
                case ND_OPT_REDIRECTED_HEADER:
+                       break;  /* we don't care about these options */
                case ND_OPT_MTU:
 #ifdef MIP6
                case ND_OPT_ADVINTERVAL: