diff options
author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-05-06 17:55:09 +0000 |
---|---|---|
committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-05-06 17:55:09 +0000 |
commit | 1751de200d208f2c0753e46f48db3320d6c3cda6 (patch) | |
tree | c5d0b6302feabb1eb482d3d6b420e70ed9e7321e /sys | |
parent | 40f6fa7dc9ff66b67b05fd7b606d260f236187d6 (diff) |
avoid underflow on unsigned value arithmetic (when optlen < 4).
2nd half of NetBSD Security Advisory 2000-002.
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/ip_input.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index a62dc6f916b..f00bf842056 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.53 2000/05/06 01:47:05 deraadt Exp $ */ +/* $OpenBSD: ip_input.c,v 1.54 2000/05/06 17:55:08 itojun Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -919,7 +919,7 @@ ip_dooptions(m) break; } off--; /* 0 origin */ - if (off > optlen - sizeof(struct in_addr)) { + if ((off + sizeof(struct in_addr)) > optlen) { /* * End of source route. Should be for us. */ @@ -964,7 +964,7 @@ ip_dooptions(m) * If no space remains, ignore. */ off--; /* 0 origin */ - if (off > optlen - sizeof(struct in_addr)) + if ((off + sizeof(struct in_addr)) > optlen) break; bcopy((caddr_t)(&ip->ip_dst), (caddr_t)&ipaddr.sin_addr, sizeof(ipaddr.sin_addr)); |