diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-29 19:46:27 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-29 19:46:27 +0000 |
| commit | 2be6784a1c26fe82e7848478c29117bd0fd3122b (patch) | |
| tree | 004dad29bb04192c5a767ed61438a2c626951092 /sys | |
| parent | 1b0778ca5f2da2bf171a5594011ca9af121fd464 (diff) | |
Make sure there's enough data on the mbuf for the TCP/UDP ports (if
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_spd.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 6ece579637d..521cd39999b 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.3 2000/09/27 07:28:24 angelos Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.4 2000/09/29 19:46:26 angelos Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) @@ -137,6 +137,13 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, { case IPPROTO_UDP: case IPPROTO_TCP: + /* Make sure there's enough data in the packet */ + if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) + { + *error = EINVAL; + return NULL; + } + /* * Luckily, the offset of the src/dst ports in both the UDP * and TCP headers is the same (first two 16-bit values @@ -181,6 +188,13 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, { case IPPROTO_UDP: case IPPROTO_TCP: + /* Make sure there's enough data in the packet */ + if (m->m_pkthdr.len < hlen + 2 * sizeof(u_int16_t)) + { + *error = EINVAL; + return NULL; + } + /* * Luckily, the offset of the src/dst ports in both the UDP * and TCP headers is the same (first two 16-bit values |