diff options
| author |   bluhm <bluhm@openbsd.org> | 2011-01-13 23:36:53 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2011-01-13 23:36:53 +0000 |
| commit | 5031a75fc0e40053f39d90ba417f2e958e37099d (patch) | |
| tree | b5e9fc39b7f5d5f55593f0114e7b297567cd03e1 | |
| parent | if the BIOS tells us to suspend at the same time that we notice a lid (diff) | |
| download | wireguard-openbsd-5031a75fc0e40053f39d90ba417f2e958e37099d.tar.xz wireguard-openbsd-5031a75fc0e40053f39d90ba417f2e958e37099d.zip | |
In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@
| -rw-r--r-- | sys/netinet6/frag6.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index 43e63c1ce85..756d1091c15 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frag6.c,v 1.30 2010/05/07 13:33:17 claudio Exp $ */ +/* $OpenBSD: frag6.c,v 1.31 2011/01/13 23:36:53 bluhm Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -545,12 +545,11 @@ insert: *q6->ip6q_nxtp = (u_char)(nxt & 0xff); #endif - /* - * Delete frag6 header with as a few cost as possible. - */ - if (offset < m->m_len) { + /* Delete frag6 header */ + if (m->m_len >= offset + sizeof(struct ip6_frag)) { + /* This is the only possible case with !PULLDOWN_TEST */ ovbcopy((caddr_t)ip6, (caddr_t)ip6 + sizeof(struct ip6_frag), - offset); + offset); m->m_data += sizeof(struct ip6_frag); m->m_len -= sizeof(struct ip6_frag); } else { |