diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2021-03-30 08:37:12 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2021-03-30 08:37:12 +0000 |
| commit | b7ec9dbdc8df9e4a4e351770874eb9e10c23552b (patch) | |
| tree | 519e201482e484e4c0faec2c529072e1ec57391b /sys/netinet/ip_output.c | |
| parent | 3a246739b2e7ec5821ba5c655c50c1eb398e7e04 (diff) | |
[ICMP] IP options lead to malformed reply
icmp_send() must update IP header length if IP optaions are appended.
Such packet also has to be dispatched with IP_RAWOUTPUT flags.
Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com
OK bluhm@
Diffstat (limited to 'sys/netinet/ip_output.c')
| -rw-r--r-- | sys/netinet/ip_output.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index c01a3e7803c..e9e41517e7b 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.369 2021/03/20 01:15:28 dlg Exp $ */ +/* $OpenBSD: ip_output.c,v 1.370 2021/03/30 08:37:11 sashan Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -765,6 +765,13 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen) optlen = opt->m_len - sizeof(p->ipopt_dst); if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET) return (m); /* XXX should fail */ + + /* check if options will fit to IP header */ + if ((optlen + sizeof(struct ip)) > (0x0f << 2)) { + *phlen = sizeof(struct ip); + return (m); + } + if (p->ipopt_dst.s_addr) ip->ip_dst = p->ipopt_dst; if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { |