diff options
author | Kris Kennaway <kris@FreeBSD.org> | 2001-02-20 03:25:50 +0000 |
---|---|---|
committer | Kris Kennaway <kris@FreeBSD.org> | 2001-02-20 03:25:50 +0000 |
commit | 504d8fd0401910d3f7abf6a550ac0ce3df7bdd16 (patch) | |
tree | 0e715a8e14a880760c1dfea4f26d936c17c9ffc8 /sys/netinet6 | |
parent | da33b5e7454cc3d7ec4e221720f1615ee07eced4 (diff) | |
download | src-504d8fd0401910d3f7abf6a550ac0ce3df7bdd16.tar.gz src-504d8fd0401910d3f7abf6a550ac0ce3df7bdd16.zip |
Correct IPv4 option processing.
Submitted by: itojun
Obtained from: KAME
Notes
Notes:
svn path=/head/; revision=72739
Diffstat (limited to 'sys/netinet6')
-rw-r--r-- | sys/netinet6/ah_core.c | 15 | ||||
-rw-r--r-- | sys/netinet6/ah_output.c | 9 |
2 files changed, 22 insertions, 2 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index 8e2c353d56b9..92481db29a5d 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -787,6 +787,19 @@ again: p = mtod(n, u_char *); i = sizeof(struct ip); while (i < hlen) { + if (i + IPOPT_OPTVAL >= hlen) { + error = EINVAL; + goto fail; + } + if (p[i + IPOPT_OPTVAL] == IPOPT_EOL || + p[i + IPOPT_OPTVAL] == IPOPT_NOP || + i + IPOPT_OLEN < hlen) + ; + else { + error = EINVAL; + goto fail; + } + skip = 1; switch (p[i + IPOPT_OPTVAL]) { case IPOPT_EOL: @@ -813,8 +826,6 @@ again: "(type=%02x len=%02x)\n", p[i + IPOPT_OPTVAL], p[i + IPOPT_OLEN])); - m_free(n); - n = NULL; error = EINVAL; goto fail; } diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c index 477c589534c8..df9f4d592bc5 100644 --- a/sys/netinet6/ah_output.c +++ b/sys/netinet6/ah_output.c @@ -521,6 +521,15 @@ ah4_finaldst(m) q = (u_char *)(ip + 1); i = 0; while (i < optlen) { + if (i + IPOPT_OPTVAL >= optlen) + return NULL; + if (q[i + IPOPT_OPTVAL] == IPOPT_EOL || + q[i + IPOPT_OPTVAL] == IPOPT_NOP || + i + IPOPT_OLEN < optlen) + ; + else + return NULL; + switch (q[i + IPOPT_OPTVAL]) { case IPOPT_EOL: i = optlen; /* bye */ |