diff options
| author |   itojun <itojun@openbsd.org> | 2000-10-13 17:58:36 +0000 |
|---|---|---|
| committer | itojun <itojun@openbsd.org> | 2000-10-13 17:58:36 +0000 |
| commit | 7ea2d4072ed7a631b172554ac20b88856bee30d4 (patch) | |
| tree | 34b692d460eda137eaf1e70cfbd105f75338b7b0 /sys/netinet/tcp_subr.c | |
| parent | The Netgear FA311 is supported as well as the FA312. (diff) | |
| download | wireguard-openbsd-7ea2d4072ed7a631b172554ac20b88856bee30d4.tar.xz wireguard-openbsd-7ea2d4072ed7a631b172554ac20b88856bee30d4.zip | |
validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system. sync with kame.
Diffstat (limited to 'sys/netinet/tcp_subr.c')
| -rw-r--r-- | sys/netinet/tcp_subr.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 308e7f28a7a..39043f8e7cc 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_subr.c,v 1.34 2000/10/10 15:16:02 provos Exp $ */ +/* $OpenBSD: tcp_subr.c,v 1.35 2000/10/13 17:58:36 itojun Exp $ */ /* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */ /* @@ -772,6 +772,10 @@ tcp6_ctlinput(cmd, sa, d) ip6_tmp.ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index); + /* check if we can safely examine src and dst ports */ + if (m->m_pkthdr.len < off + sizeof(th)) + return; + if (m->m_len < off + sizeof(th)) { /* * this should be rare case, |