diff options
| author |   dhartmei <dhartmei@openbsd.org> | 2001-11-21 19:00:24 +0000 |
|---|---|---|
| committer | dhartmei <dhartmei@openbsd.org> | 2001-11-21 19:00:24 +0000 |
| commit | dbbc61935440edb70825e985adb46c96e43dae29 (patch) | |
| tree | 3d634d627f7103e31f7b7fc88f6653fd813e9278 /sys/net/pf.c | |
| parent | more on passphrase construction; ok markus@ (diff) | |
| download | wireguard-openbsd-dbbc61935440edb70825e985adb46c96e43dae29.tar.xz wireguard-openbsd-dbbc61935440edb70825e985adb46c96e43dae29.zip | |
Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashes
in pf_test6() for IPv6 packets with options.
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 197227964a9..2b6cb4d6696 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.169 2001/11/20 09:27:58 mpech Exp $ */ +/* $OpenBSD: pf.c,v 1.170 2001/11/21 19:00:24 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4516,11 +4516,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); pd.proto = h->ip6_nxt; do { - while (off >= m->m_len) { - off -= m->m_len; - m = m->m_next; - } - switch (pd.proto) { case IPPROTO_FRAGMENT: /* XXX we don't handle fragments yet */ @@ -4532,11 +4527,19 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) case IPPROTO_ROUTING: case IPPROTO_DSTOPTS: { /* get next header and header length */ - struct _opt6 *opt6; + struct _opt6 opt6; - opt6 = (struct _opt6 *)(mtod(m, caddr_t) + off); - pd.proto = opt6->opt6_nxt; - off += (opt6->opt6_hlen + 1) * 8; + if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), + NULL, NULL, pd.af)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: IPv6 short opt\n")); + action = PF_DROP; + REASON_SET(&reason, PFRES_SHORT); + log = 1; + goto done; + } + pd.proto = opt6.opt6_nxt; + off += (opt6.opt6_hlen + 1) * 8; /* goto the next header */ break; } |