aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet6
diff options
context:
space:
mode:
authorKris Kennaway <kris@FreeBSD.org>2001-02-20 03:25:50 +0000
committerKris Kennaway <kris@FreeBSD.org>2001-02-20 03:25:50 +0000
commit504d8fd0401910d3f7abf6a550ac0ce3df7bdd16 (patch)
tree0e715a8e14a880760c1dfea4f26d936c17c9ffc8 /sys/netinet6
parentda33b5e7454cc3d7ec4e221720f1615ee07eced4 (diff)
downloadsrc-504d8fd0401910d3f7abf6a550ac0ce3df7bdd16.tar.gz
src-504d8fd0401910d3f7abf6a550ac0ce3df7bdd16.zip
Correct IPv4 option processing.
Submitted by: itojun Obtained from: KAME
Notes
Notes: svn path=/head/; revision=72739
Diffstat (limited to 'sys/netinet6')
-rw-r--r--sys/netinet6/ah_core.c15
-rw-r--r--sys/netinet6/ah_output.c9
2 files changed, 22 insertions, 2 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c
index 8e2c353d56b9..92481db29a5d 100644
--- a/sys/netinet6/ah_core.c
+++ b/sys/netinet6/ah_core.c
@@ -787,6 +787,19 @@ again:
p = mtod(n, u_char *);
i = sizeof(struct ip);
while (i < hlen) {
+ if (i + IPOPT_OPTVAL >= hlen) {
+ error = EINVAL;
+ goto fail;
+ }
+ if (p[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+ p[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+ i + IPOPT_OLEN < hlen)
+ ;
+ else {
+ error = EINVAL;
+ goto fail;
+ }
+
skip = 1;
switch (p[i + IPOPT_OPTVAL]) {
case IPOPT_EOL:
@@ -813,8 +826,6 @@ again:
"(type=%02x len=%02x)\n",
p[i + IPOPT_OPTVAL],
p[i + IPOPT_OLEN]));
- m_free(n);
- n = NULL;
error = EINVAL;
goto fail;
}
diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c
index 477c589534c8..df9f4d592bc5 100644
--- a/sys/netinet6/ah_output.c
+++ b/sys/netinet6/ah_output.c
@@ -521,6 +521,15 @@ ah4_finaldst(m)
q = (u_char *)(ip + 1);
i = 0;
while (i < optlen) {
+ if (i + IPOPT_OPTVAL >= optlen)
+ return NULL;
+ if (q[i + IPOPT_OPTVAL] == IPOPT_EOL ||
+ q[i + IPOPT_OPTVAL] == IPOPT_NOP ||
+ i + IPOPT_OLEN < optlen)
+ ;
+ else
+ return NULL;
+
switch (q[i + IPOPT_OPTVAL]) {
case IPOPT_EOL:
i = optlen; /* bye */