[src/trunk]: src/sys/netinet6 check offset overrun in ip6_nexthdr.

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/dfda05120300
branches:  trunk
changeset: 516937:dfda05120300
user:      itojun <itojun%NetBSD.org@localhost>
date:      Fri Nov 02 08:05:48 2001 +0000

description:
check offset overrun in ip6_nexthdr.

diffstat:

 sys/netinet6/ip6_input.c |  6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diffs (27 lines):

diff -r 5c90110e8744 -r dfda05120300 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Fri Nov 02 07:25:58 2001 +0000
+++ b/sys/netinet6/ip6_input.c  Fri Nov 02 08:05:48 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.46 2001/10/29 07:02:35 simonb Exp $    */
+/*     $NetBSD: ip6_input.c,v 1.47 2001/11/02 08:05:48 itojun Exp $    */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -1321,6 +1321,8 @@
                if (nxtp)
                        *nxtp = ip6e.ip6e_nxt;
                off += (ip6e.ip6e_len + 2) << 2;
+               if (m->m_pkthdr.len < off)
+                       return -1;
                return off;
 
        case IPPROTO_HOPOPTS:
@@ -1332,6 +1334,8 @@
                if (nxtp)
                        *nxtp = ip6e.ip6e_nxt;
                off += (ip6e.ip6e_len + 1) << 3;
+               if (m->m_pkthdr.len < off)
+                       return -1;
                return off;
 
        case IPPROTO_NONE: