diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-01 08:18:28 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-01 08:18:28 +0000 |
commit | daa9c455ce0f2d9b8edbf41447ead13cf0a8d5a4 (patch) | |
tree | 286653887719de77c7b97102ff8f221bdcd237a1 | |
parent | 905700f8e336eb14d20da3336698af2a983d072d (diff) |
Merge two m_copydata() calls into one, and (hopefully) correct the
self-describing padding verification.
-rw-r--r-- | sys/netinet/ip_ipsp.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 3e9d0de033e..fdb28b94d7d 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.123 2001/06/01 07:56:46 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.124 2001/06/01 08:18:27 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -1469,9 +1469,15 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) m_copydata(m, m->m_pkthdr.len - trail - 8, 8, lasteight); /* Verify the self-describing padding values */ - for (i = 5; lasteight[i + 1] != 0 && i >= 0; i--) - if (lasteight[i + 1] != lasteight[i] + 1) - return tags.lh_first; + if (lasteight[6] != 0) + { + if (lasteight[6] != lasteight[5]) + return tags.lh_first; + + for (i = 4; lasteight[i + 1] != 1 && i >= 0; i--) + if (lasteight[i + 1] != lasteight[i] + 1) + return tags.lh_first; + } } /* Fall through */ case IPPROTO_AH: @@ -1483,6 +1489,7 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) tdbi = (struct tdb_ident *) (mtag + 1); bzero(tdbi, sizeof(struct tdb_ident)); + /* Get SPI off the relevant header */ if (proto == IPPROTO_AH) m_copydata(m, off + sizeof(u_int32_t), sizeof(u_int32_t), (caddr_t) &tdbi->spi); @@ -1516,13 +1523,15 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) /* Update next protocol/header and header offset */ if (proto == IPPROTO_AH) { - m_copydata(m, off, sizeof(u_int8_t), (caddr_t) &proto); - m_copydata(m, off + sizeof(u_int8_t), sizeof(u_int8_t), - (caddr_t) &s); - off += (s + 2) << 2; + u_int8_t foo[2]; + + m_copydata(m, off, 2 * sizeof(u_int8_t), foo); + proto = foo[0]; + off += (foo[1] + 2) << 2; } else /* IPPROTO_ESP */ { + /* Initialized in IPPROTO_ESP case */ off += esphlen; proto = lasteight[7]; } |