diff options
Diffstat (limited to 'sys/netinet6/ah_core.c')
-rw-r--r-- | sys/netinet6/ah_core.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index 8e2c353d56b9..92481db29a5d 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -787,6 +787,19 @@ again: p = mtod(n, u_char *); i = sizeof(struct ip); while (i < hlen) { + if (i + IPOPT_OPTVAL >= hlen) { + error = EINVAL; + goto fail; + } + if (p[i + IPOPT_OPTVAL] == IPOPT_EOL || + p[i + IPOPT_OPTVAL] == IPOPT_NOP || + i + IPOPT_OLEN < hlen) + ; + else { + error = EINVAL; + goto fail; + } + skip = 1; switch (p[i + IPOPT_OPTVAL]) { case IPOPT_EOL: @@ -813,8 +826,6 @@ again: "(type=%02x len=%02x)\n", p[i + IPOPT_OPTVAL], p[i + IPOPT_OLEN])); - m_free(n); - n = NULL; error = EINVAL; goto fail; } |