diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-08-14 20:19:21 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-08-14 20:19:21 +0000 |
| commit | 8195fcf189f6ad6257cb2b14adfccbedc6046272 (patch) | |
| tree | 527e923848eada6dc89064181f7f6e21b9c04c5e /sys | |
| parent | 919ec1760ed29cc2d45cd51f2bccd493285acd96 (diff) | |
restrict some raw ip packets that may crash ip_output(); from freebsd
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/raw_ip.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 34a39b58cca..aaedb610567 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.6 1996/03/15 07:24:42 tholo Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.7 1996/08/14 20:19:20 deraadt Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -155,7 +155,6 @@ rip_output(m, va_alist) u_long dst; register struct ip *ip; register struct inpcb *inp; - struct mbuf *opts; int flags; va_list ap; @@ -181,17 +180,25 @@ rip_output(m, va_alist) ip->ip_src = inp->inp_laddr; ip->ip_dst.s_addr = dst; ip->ip_ttl = MAXTTL; - opts = inp->inp_options; } else { ip = mtod(m, struct ip *); + /* + * don't allow both user specified and setsockopt options, + * and don't allow packet length sizes that will crash + */ + if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options) || + ip->ip_len > m->m_pkthdr.len) { + m_freem(m); + return (EINVAL); + } if (ip->ip_id == 0) ip->ip_id = htons(ip_id++); - opts = NULL; /* XXX prevent ip_output from overwriting header fields */ flags |= IP_RAWOUTPUT; ipstat.ips_rawout++; } - return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions)); + return (ip_output(m, inp->inp_options, &inp->inp_route, flags, + inp->inp_moptions)); } /* |