diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-10-16 08:09:10 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-10-16 08:09:10 +0000 |
| commit | 7641d3bc831bfb36faffefebd0c1afeee2fdafab (patch) | |
| tree | 20eb8807e9db7e6500c6891356dd589a4e9f7a9b | |
| parent | 0cb4438fac40555e04c946897adc45e0be3b1313 (diff) | |
As CMSG_ALIGN() can overflow the integer value, do the length check
with and without alignment.
Bug found by Clement Lecigne <clemun AT gmail DOT com>
OK claudio@
| -rw-r--r-- | sys/netinet6/ip6_output.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 965c4badb6a..fb31a691399 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.127 2012/09/20 10:25:03 blambert Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.128 2012/10/16 08:09:09 bluhm Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -2735,7 +2735,7 @@ ip6_setpktopts(struct mbuf *control, struct ip6_pktopts *opt, if (clen < CMSG_LEN(0)) return (EINVAL); cm = (struct cmsghdr *)cmsgs; - if (cm->cmsg_len < CMSG_LEN(0) || + if (cm->cmsg_len < CMSG_LEN(0) || cm->cmsg_len > clen || CMSG_ALIGN(cm->cmsg_len) > clen) return (EINVAL); if (cm->cmsg_level == IPPROTO_IPV6) { |