diff options
author | Hajimu UMEMOTO <ume@FreeBSD.org> | 2003-10-12 11:18:04 +0000 |
---|---|---|
committer | Hajimu UMEMOTO <ume@FreeBSD.org> | 2003-10-12 11:18:04 +0000 |
commit | 83ca448c94e9a3ef79e97a42ff35d75996b28254 (patch) | |
tree | d3576e6bb734aecd98e0291341b75cf5e38995ee /sys/netinet6/ah_core.c | |
parent | 61dbcc0d056aee795efb98a6a3216a5af6966308 (diff) | |
download | src-83ca448c94e9a3ef79e97a42ff35d75996b28254.tar.gz src-83ca448c94e9a3ef79e97a42ff35d75996b28254.zip |
- always check for optlen overrun.
- panic if NULL is passed to ah_sumsiz (as we never do it,
and callers do not properly check negative returns).
Obtained from: KAME
Notes
Notes:
svn path=/head/; revision=121027
Diffstat (limited to 'sys/netinet6/ah_core.c')
-rw-r--r-- | sys/netinet6/ah_core.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index e57624887065..e0274ab72017 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -220,7 +220,7 @@ ah_sumsiz_1216(sav) struct secasvar *sav; { if (!sav) - return -1; + panic("ah_sumsiz_1216: null pointer is passed"); if (sav->flags & SADB_X_EXT_OLD) return 16; else @@ -232,7 +232,7 @@ ah_sumsiz_zero(sav) struct secasvar *sav; { if (!sav) - return -1; + panic("ah_sumsiz_zero: null pointer is passed"); return 0; } @@ -1571,11 +1571,18 @@ ah6_calccksum(m, ahdat, len, algo, sav) goto fail; } optlen = optp[1] + 2; + } - if (optp[0] & IP6OPT_MUTABLE) - bzero(optp + 2, optlen - 2); + if (optp + optlen > optend) { + error = EINVAL; + m_free(n); + n = NULL; + goto fail; } + if (optp[0] & IP6OPT_MUTABLE) + bzero(optp + 2, optlen - 2); + optp += optlen; } |