diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-06-17 19:50:07 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-06-17 19:50:07 +0000 |
| commit | af0fc5610af1cffbec26c32357c72999e9850a4e (patch) | |
| tree | 4fc87b38401afbeaae5629393661b23642d41b54 /sys/net/pf.c | |
| parent | 543386a458bf14d85e2b48bf01127868dae77954 (diff) | |
Before pulling the TCP options from the mbuf onto the stack, do an
additional length check in pf_modulate_sack() and pf_normalize_mss().
Overflow cannot happen due to the restricted values in the length
calculation. As this is not obvious, be better safe than sorry.
OK henning@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 494f844aa14..799463d302a 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.834 2013/06/05 00:56:35 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.835 2013/06/17 19:50:06 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2457,8 +2457,8 @@ pf_modulate_sack(struct pf_pdesc *pd, struct pf_state_peer *dst) struct sackblk sack; #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) - if (hlen < TCPOLEN_SACKLEN || !pf_pull_hdr(pd->m, pd->off + sizeof(*th), - opts, hlen, NULL, NULL, pd->af)) + if (hlen < TCPOLEN_SACKLEN || hlen > MAX_TCPOPTLEN || !pf_pull_hdr( + pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) return 0; while (hlen >= TCPOLEN_SACKLEN) { |