Subject: Re: CVS commit: syssrc/sys/netinet
To: None <itojun@netbsd.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: source-changes
Date: 06/05/2002 22:04:06
----Next_Part(Wed_Jun__5_22:04:06_2002_268)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: Jun-ichiro itojun Hagino <itojun@netbsd.org>
Subject: CVS commit: syssrc/sys/netinet
Date: Tue, 4 Jun 2002 13:06:29 +0300 (EEST)
>
> Module Name: syssrc
> Committed By: itojun
> Date: Tue Jun 4 10:06:29 UTC 2002
>
> Modified Files:
> syssrc/sys/netinet: ip_nat.c
>
> Log Message:
> in mss clamping code, do not go past TCPOPT_EOL. enforce stricter
> boundary checking. discussed on tech-net
it should be like attached patch?
---
YAMAMOTO Takashi<yamt@mwd.biglobe.ne.jp>
----Next_Part(Wed_Jun__5_22:04:06_2002_268)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="ip_nat.c.diff"
Index: ip_nat.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/ip_nat.c,v
retrieving revision 1.49
diff -u -p -r1.49 ip_nat.c
--- ip_nat.c 2002/06/04 10:06:27 1.49
+++ ip_nat.c 2002/06/05 13:02:12
@@ -1157,7 +1157,7 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
hlen = tcp->th_off << 2;
if (hlen > sizeof(*tcp)) {
cp = (uint8_t *)tcp + sizeof(*tcp);
- ep = cp + hlen;
+ ep = cp + hlen - sizeof(*tcp);
while (cp < ep) {
opt = cp[0];
@@ -1168,7 +1168,7 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
continue;
}
- if (&cp[1] > ep)
+ if (&cp[1] >= ep)
break;
advance = cp[1];
if (&cp[advance] > ep)
@@ -1177,11 +1177,11 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
case TCPOPT_MAXSEG:
if (advance != 4)
break;
- memcpy(&v, &cp[2], sizeof(mss));
+ memcpy(&v, &cp[2], sizeof(v));
mss = ntohs(v);
if (mss > maxmss) {
v = htons(maxmss);
- memcpy(&cp[2], &v, sizeof(mss));
+ memcpy(&cp[2], &v, sizeof(v));
CALC_SUMD(mss, maxmss, sumd);
fix_outcksum(fin, csump, sumd);
}
----Next_Part(Wed_Jun__5_22:04:06_2002_268)----