aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGleb Smirnoff <glebius@FreeBSD.org>2005-02-11 23:07:22 +0000
committerGleb Smirnoff <glebius@FreeBSD.org>2005-02-11 23:07:22 +0000
commit8c6f96299610db898ba77b41f97d075bd0d82a5f (patch)
tree4c2939c0c87f2e1cf56b3c67724701fc640a2f4e
parentaa4e078a04c48beaa21699bab6952f3842d2bbca (diff)
downloadsrc-8c6f96299610db898ba77b41f97d075bd0d82a5f.tar.gz
src-8c6f96299610db898ba77b41f97d075bd0d82a5f.zip
Do not trust ipfw: check m_len always, not only after m_dup.
Submitted by: ru
Notes
Notes: svn path=/head/; revision=141705
-rw-r--r--sys/netgraph/ng_ipfw.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c
index 89a0a77af0be..b4b421bf882d 100644
--- a/sys/netgraph/ng_ipfw.c
+++ b/sys/netgraph/ng_ipfw.c
@@ -294,10 +294,13 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
m_tag_prepend(m, &ngit->mt);
} else
- if ((m = m_dup(*m0, M_DONTWAIT)) == NULL ||
- (m = m_pullup(m, sizeof(struct ip))) == NULL)
+ if ((m = m_dup(*m0, M_DONTWAIT)) == NULL)
return (ENOMEM); /* which is ignored */
+ if (m->m_len < sizeof(struct ip) &&
+ (m = m_pullup(m, sizeof(struct ip))) == NULL)
+ return(EINVAL);
+
ip = mtod(m, struct ip *);
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);