summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2003-10-31 00:30:20 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2003-10-31 00:30:20 +0000
commit12ba42937618d5920e9c8e47b014294a1e020f52 (patch)
tree34fe8c75d72e2c477593e7cbf7c51639b75e225c
parentf8b684c52c0f80d842183ab3cef669babadfcab3 (diff)
insufficient length check (possible remote DoS). kame PR 507.
ok deraadt markus mcbride
Diffstat
-rw-r--r--usr.sbin/route6d/route6d.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/usr.sbin/route6d/route6d.c b/usr.sbin/route6d/route6d.c
index 20b9ad4ee23..9f91d69db2e 100644
--- a/usr.sbin/route6d/route6d.c
+++ b/usr.sbin/route6d/route6d.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: route6d.c,v 1.38 2003/08/22 08:26:39 itojun Exp $ */
+/* $OpenBSD: route6d.c,v 1.39 2003/10/31 00:30:19 itojun Exp $ */
/* $KAME: route6d.c,v 1.94 2002/10/26 20:08:55 itojun Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#if 0
-static char _rcsid[] = "$OpenBSD: route6d.c,v 1.38 2003/08/22 08:26:39 itojun Exp $";
+static char _rcsid[] = "$OpenBSD: route6d.c,v 1.39 2003/10/31 00:30:19 itojun Exp $";
#endif
#include <stdio.h>
@@ -1066,7 +1066,7 @@ riprecv(void)
struct rip6 *rp;
struct netinfo6 *np, *nq;
struct riprt *rrt;
- int len, nn, need_trigger, idx;
+ ssize_t len, nn, need_trigger, idx;
char buf[4 * RIP6_MAXMTU];
time_t t;
struct msghdr m;
@@ -1108,6 +1108,11 @@ riprecv(void)
if (idx && IN6_IS_ADDR_LINKLOCAL(&fsock.sin6_addr))
SET_IN6_LINKLOCAL_IFINDEX(fsock.sin6_addr, idx);
+ if (len < sizeof(struct rip6)) {
+ trace(1, "Packet too short\n");
+ return;
+ }
+
nh = fsock.sin6_addr;
nn = (len - sizeof(struct rip6) + sizeof(struct netinfo6)) /
sizeof(struct netinfo6);
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-13 21:23:32 +0000