diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-03-30 12:15:30 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-03-30 12:15:30 +0000 |
| commit | 3fb68333ec31e4c9a3365038375b6c3fd2256c0a (patch) | |
| tree | 09e593c457d42773e3bd3bf85f687643b8f140e4 /sys/netinet6 | |
| parent | fd5f8597ee4c64a203798daa36ba4e9be32a4a1f (diff) | |
Restrict protocol numbers for raw sockets to the range from 0 to 255.
OK deraadt@ guenther@
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 0a2559a6d69..531efd0cece 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.49 2013/03/28 16:45:16 tedu Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.50 2013/03/30 12:15:29 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -613,6 +613,10 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, error = EACCES; break; } + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) { + error = EPROTONOSUPPORT; + break; + } s = splsoftnet(); if ((error = soreserve(so, rip6_sendspace, rip6_recvspace)) != 0) { splx(s); |