summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2001-11-21 19:00:25 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2001-11-21 19:00:25 +0000
commitcc2e9497bb747a31205c2703312b7cd0570f564f (patch)
tree4bf5067a5cdfaca95fc2b71a88aa44d60d730cd2 /sys
parentf20e996720e28445ffbafb376796d278a8f9c21b (diff)
Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashes
in pf_test6() for IPv6 packets with options.
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c23
1 files changed, 13 insertions, 10 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 197227964a9..2b6cb4d6696 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.169 2001/11/20 09:27:58 mpech Exp $ */
+/* $OpenBSD: pf.c,v 1.170 2001/11/21 19:00:24 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -4516,11 +4516,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
pd.proto = h->ip6_nxt;
do {
- while (off >= m->m_len) {
- off -= m->m_len;
- m = m->m_next;
- }
-
switch (pd.proto) {
case IPPROTO_FRAGMENT:
/* XXX we don't handle fragments yet */
@@ -4532,11 +4527,19 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
case IPPROTO_ROUTING:
case IPPROTO_DSTOPTS: {
/* get next header and header length */
- struct _opt6 *opt6;
+ struct _opt6 opt6;
- opt6 = (struct _opt6 *)(mtod(m, caddr_t) + off);
- pd.proto = opt6->opt6_nxt;
- off += (opt6->opt6_hlen + 1) * 8;
+ if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
+ NULL, NULL, pd.af)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: IPv6 short opt\n"));
+ action = PF_DROP;
+ REASON_SET(&reason, PFRES_SHORT);
+ log = 1;
+ goto done;
+ }
+ pd.proto = opt6.opt6_nxt;
+ off += (opt6.opt6_hlen + 1) * 8;
/* goto the next header */
break;
}