Check the protocol header length for tcp, udp, icmp, icmp6 in

pf_setup_pdesc(). It is better to check and bail out early than to rely on pf_pull_hdr() later. ok henning mpf
author: bluhm <bluhm@openbsd.org> 2011-09-21 19:07:30 +0000
committer: bluhm <bluhm@openbsd.org> 2011-09-21 19:07:30 +0000
commit: eb24aab1704c8963c480a62ce5b6e6a97a69f9bc (patch)
tree: 86f1b9929622bb225c4d6514959f4213bc0fc16a /sys/net/pf_osfp.c
parent: Use volatile sig_atomic_t, not int, for the sigs variable. Also (diff)
download: wireguard-openbsd-eb24aab1704c8963c480a62ce5b6e6a97a69f9bc.tar.xz
wireguard-openbsd-eb24aab1704c8963c480a62ce5b6e6a97a69f9bc.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c
index 21d49b523e9..514b6c2a1c3 100644
--- a/sys/net/pf_osfp.c
+++ b/sys/net/pf_osfp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_osfp.c,v 1.23 2011/09/20 15:17:26 bluhm Exp $ */
+/*	$OpenBSD: pf_osfp.c,v 1.24 2011/09/21 19:07:30 bluhm Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@@ -89,7 +89,7 @@ pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m)
 	struct ip6_hdr	*ip6 = NULL;
 	char		 hdr[60];
 
-	if (pd->proto != IPPROTO_TCP || (th->th_off << 2) < sizeof(*th))
+	if (pd->proto != IPPROTO_TCP)
 		return (NULL);
 
 	switch (pd->af) {
author	bluhm <bluhm@openbsd.org>	2011-09-21 19:07:30 +0000
committer	bluhm <bluhm@openbsd.org>	2011-09-21 19:07:30 +0000
commit	eb24aab1704c8963c480a62ce5b6e6a97a69f9bc (patch)
tree	86f1b9929622bb225c4d6514959f4213bc0fc16a /sys/net/pf_osfp.c
parent	Use volatile sig_atomic_t, not int, for the sigs variable. Also (diff)
download	wireguard-openbsd-eb24aab1704c8963c480a62ce5b6e6a97a69f9bc.tar.xz wireguard-openbsd-eb24aab1704c8963c480a62ce5b6e6a97a69f9bc.zip