summaryrefslogtreecommitdiff
path: root/sys/netinet/udp_usrreq.c
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-10-13 17:58:38 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-10-13 17:58:38 +0000
commit4b55b9f6971d49aed0f2eb3af6553a428fa15e5f (patch)
tree80f7e806e197ea97c4d29040bca603819d27a87c /sys/netinet/udp_usrreq.c
parentb272da417dae46e5fd9ed0a269d8b395d6374340 (diff)
validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system. sync with kame.
Diffstat (limited to 'sys/netinet/udp_usrreq.c')
-rw-r--r--sys/netinet/udp_usrreq.c20
1 files changed, 11 insertions, 9 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index ceec64207ec..d3ecb7d686f 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp_usrreq.c,v 1.50 2000/10/11 09:14:13 itojun Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.51 2000/10/13 17:58:37 itojun Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
@@ -693,7 +693,7 @@ udp_ctlinput(cmd, sa, v)
void *v;
{
register struct ip *ip = v;
- register struct udphdr *uh;
+ register struct udphdr *uhp;
extern int inetctlerrmap[];
void (*notify) __P((struct inpcb *, int)) = udp_notify;
int errno;
@@ -712,12 +712,14 @@ udp_ctlinput(cmd, sa, v)
#ifdef INET6
if (sa->sa_family == AF_INET6) {
if (ip) {
- struct ip6_hdr *ipv6 = (struct ip6_hdr *)ip;
+ struct ip6_hdr *ip6 = (struct ip6_hdr *)ip;
- uh = (struct udphdr *)((caddr_t)ipv6 + sizeof(struct ip6_hdr));
+ /* XXX we assume that the mbuf is sane enough */
+
+ uhp = (struct udphdr *)((caddr_t)ip6 + sizeof(*ip6));
#if 0 /*XXX*/
- in6_pcbnotify(&udbtable, sa, uh->uh_dport,
- &(ipv6->ip6_src), uh->uh_sport, cmd, udp_notify);
+ in6_pcbnotify(&udbtable, sa, uhp->uh_dport,
+ &(ip6->ip6_src), uhp->uh_sport, cmd, udp_notify);
#endif
} else {
#if 0 /*XXX*/
@@ -728,9 +730,9 @@ udp_ctlinput(cmd, sa, v)
} else
#endif /* INET6 */
if (ip) {
- uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
- in_pcbnotify(&udbtable, sa, uh->uh_dport, ip->ip_src,
- uh->uh_sport, errno, notify);
+ uhp = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
+ in_pcbnotify(&udbtable, sa, uhp->uh_dport, ip->ip_src,
+ uhp->uh_sport, errno, notify);
} else
in_pcbnotifyall(&udbtable, sa, errno, notify);
return NULL;