From 7641d3bc831bfb36faffefebd0c1afeee2fdafab Mon Sep 17 00:00:00 2001
From: Alexander Bluhm <bluhm@cvs.openbsd.org>
Date: Tue, 16 Oct 2012 08:09:10 +0000
Subject: As CMSG_ALIGN() can overflow the integer value, do the length check
 with and without alignment. Bug found by Clement Lecigne <clemun AT gmail DOT
 com> OK claudio@

---
 sys/netinet6/ip6_output.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 965c4badb6a..fb31a691399 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.127 2012/09/20 10:25:03 blambert Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.128 2012/10/16 08:09:09 bluhm Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -2735,7 +2735,7 @@ ip6_setpktopts(struct mbuf *control, struct ip6_pktopts *opt,
 		if (clen < CMSG_LEN(0))
 			return (EINVAL);
 		cm = (struct cmsghdr *)cmsgs;
-		if (cm->cmsg_len < CMSG_LEN(0) ||
+		if (cm->cmsg_len < CMSG_LEN(0) || cm->cmsg_len > clen ||
 		    CMSG_ALIGN(cm->cmsg_len) > clen)
 			return (EINVAL);
 		if (cm->cmsg_level == IPPROTO_IPV6) {
-- 
cgit v1.2.3