diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-12-06 20:14:54 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-12-06 20:14:54 +0000 |
| commit | 10bff34087f425c2396a7feaa35ffbbec2ee3951 (patch) | |
| tree | 12e501e94758f228090298f325951fcb5317f893 /sys | |
| parent | b68890cf4a9f8bd78fe51ce68825cc8caa3edb17 (diff) | |
Sanity check on inner IP header in IP-in-IP encapsulation; could be
exploited to crash systems that allowed IP-in-IP protocol
(sysctl -w net.inet.ipip.allow=1)
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_ipip.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index 555c75a1ba3..8d680706688 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.21 2001/08/19 06:31:56 angelos Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.22 2001/12/06 20:14:53 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -208,6 +208,13 @@ ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Remove outer IP header */ m_adj(m, iphlen); + /* Sanity check */ + if (m->m_pkthdr.len < sizeof(struct ip)) { + ipipstat.ipips_hdrops++; + m_freem(m); + return; + } + m_copydata(m, 0, 1, &v); switch (v >> 4) { |