[src/netbsd-1-5]: src/sys/netinet Pullup 1.94 [itojun]:

[tv <tv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e70a69e7ff3f
branches:  netbsd-1-5
changeset: 489756:e70a69e7ff3f
user:      tv <tv%NetBSD.org@localhost>
date:      Tue Oct 17 00:48:30 2000 +0000

description:
Pullup 1.94 [itojun]:
validate mbuf chain length on *_ctlinput.  remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.

diffstat:

 sys/netinet/tcp_subr.c |  6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diffs (20 lines):

diff -r b8066656dc64 -r e70a69e7ff3f sys/netinet/tcp_subr.c
--- a/sys/netinet/tcp_subr.c    Tue Oct 17 00:46:09 2000 +0000
+++ b/sys/netinet/tcp_subr.c    Tue Oct 17 00:48:30 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_subr.c,v 1.91.4.2 2000/09/19 21:02:55 itojun Exp $ */
+/*     $NetBSD: tcp_subr.c,v 1.91.4.3 2000/10/17 00:48:30 tv Exp $     */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1176,6 +1176,10 @@
                if (IN6_IS_ADDR_LINKLOCAL(&s))
                        s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
 
+               /* check if we can safely examine src and dst ports */
+               if (m->m_pkthdr.len < off + sizeof(th))
+                       return;
+
                if (m->m_len < off + sizeof(th)) {
                        /*
                         * this should be rare case,