diff options
author | Gleb Smirnoff <glebius@FreeBSD.org> | 2005-02-11 23:07:22 +0000 |
---|---|---|
committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2005-02-11 23:07:22 +0000 |
commit | 8c6f96299610db898ba77b41f97d075bd0d82a5f (patch) | |
tree | 4c2939c0c87f2e1cf56b3c67724701fc640a2f4e | |
parent | aa4e078a04c48beaa21699bab6952f3842d2bbca (diff) | |
download | src-8c6f96299610db898ba77b41f97d075bd0d82a5f.tar.gz src-8c6f96299610db898ba77b41f97d075bd0d82a5f.zip |
Do not trust ipfw: check m_len always, not only after m_dup.
Submitted by: ru
Notes
Notes:
svn path=/head/; revision=141705
-rw-r--r-- | sys/netgraph/ng_ipfw.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c index 89a0a77af0be..b4b421bf882d 100644 --- a/sys/netgraph/ng_ipfw.c +++ b/sys/netgraph/ng_ipfw.c @@ -294,10 +294,13 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) m_tag_prepend(m, &ngit->mt); } else - if ((m = m_dup(*m0, M_DONTWAIT)) == NULL || - (m = m_pullup(m, sizeof(struct ip))) == NULL) + if ((m = m_dup(*m0, M_DONTWAIT)) == NULL) return (ENOMEM); /* which is ignored */ + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) + return(EINVAL); + ip = mtod(m, struct ip *); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); |