diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-10-13 17:58:38 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-10-13 17:58:38 +0000 |
| commit | 4b55b9f6971d49aed0f2eb3af6553a428fa15e5f (patch) | |
| tree | 80f7e806e197ea97c4d29040bca603819d27a87c /sys/netinet/tcp_subr.c | |
| parent | b272da417dae46e5fd9ed0a269d8b395d6374340 (diff) | |
validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system. sync with kame.
Diffstat (limited to 'sys/netinet/tcp_subr.c')
| -rw-r--r-- | sys/netinet/tcp_subr.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 308e7f28a7a..39043f8e7cc 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_subr.c,v 1.34 2000/10/10 15:16:02 provos Exp $ */ +/* $OpenBSD: tcp_subr.c,v 1.35 2000/10/13 17:58:36 itojun Exp $ */ /* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */ /* @@ -772,6 +772,10 @@ tcp6_ctlinput(cmd, sa, d) ip6_tmp.ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index); + /* check if we can safely examine src and dst ports */ + if (m->m_pkthdr.len < off + sizeof(th)) + return; + if (m->m_len < off + sizeof(th)) { /* * this should be rare case, |