"Check UDP length for short as well as long values" - apply the fix from

usr.sbin/dhcpd/packet.c r1.4 to dhcrelay. ok deraadt@
author: sthen <sthen@openbsd.org> 2016-01-13 13:41:42 +0000
committer: sthen <sthen@openbsd.org> 2016-01-13 13:41:42 +0000
commit: c56a007c2959dfb594c890a5b56d8ba052243c16 (patch)
tree: 9884c0950262372690ebc722a6014330a7856e6e /usr.sbin/dhcrelay
parent: fix exit status on pledge fail, eval here should be 2. (diff)
download: wireguard-openbsd-c56a007c2959dfb594c890a5b56d8ba052243c16.tar.xz
wireguard-openbsd-c56a007c2959dfb594c890a5b56d8ba052243c16.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/dhcrelay/packet.c b/usr.sbin/dhcrelay/packet.c
index 42f45af58f5..6352f0cf5a9 100644
--- a/usr.sbin/dhcrelay/packet.c
+++ b/usr.sbin/dhcrelay/packet.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: packet.c,v 1.5 2014/10/25 03:23:49 lteo Exp $	*/
+/*	$OpenBSD: packet.c,v 1.6 2016/01/13 13:41:42 sthen Exp $	*/
 
 /* Packet assembly code, originally contributed by Archie Cobbs. */
 
@@ -223,7 +223,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *buf,
 		data = buf + bufix + ip_len + sizeof(*udp);
 		len = ntohs(udp->uh_ulen) - sizeof(*udp);
 		udp_packets_length_checked++;
-		if (len + data > buf + bufix + buflen) {
+		if ((len < 0) || (len + data > buf + bufix + buflen)) {
 			udp_packets_length_overflow++;
 			if (udp_packets_length_checked > 4 &&
 			    udp_packets_length_overflow != 0 &&
author	sthen <sthen@openbsd.org>	2016-01-13 13:41:42 +0000
committer	sthen <sthen@openbsd.org>	2016-01-13 13:41:42 +0000
commit	c56a007c2959dfb594c890a5b56d8ba052243c16 (patch)
tree	9884c0950262372690ebc722a6014330a7856e6e /usr.sbin/dhcrelay
parent	fix exit status on pledge fail, eval here should be 2. (diff)
download	wireguard-openbsd-c56a007c2959dfb594c890a5b56d8ba052243c16.tar.xz wireguard-openbsd-c56a007c2959dfb594c890a5b56d8ba052243c16.zip