----Next_Part(Wed_Jun__5_22:04:06_2002_268)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

From: Jun-ichiro itojun Hagino <itojun@netbsd.org>
Subject: CVS commit: syssrc/sys/netinet
Date: Tue,  4 Jun 2002 13:06:29 +0300 (EEST)
> 
> Module Name:	syssrc
> Committed By:	itojun
> Date:		Tue Jun  4 10:06:29 UTC 2002
> 
> Modified Files:
> 	syssrc/sys/netinet: ip_nat.c
> 
> Log Message:
> in mss clamping code, do not go past TCPOPT_EOL.  enforce stricter
> boundary checking.  discussed on tech-net

it should be like attached patch?

---
YAMAMOTO Takashi<yamt@mwd.biglobe.ne.jp>

----Next_Part(Wed_Jun__5_22:04:06_2002_268)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="ip_nat.c.diff"

Index: ip_nat.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet/ip_nat.c,v
retrieving revision 1.49
diff -u -p -r1.49 ip_nat.c
--- ip_nat.c	2002/06/04 10:06:27	1.49
+++ ip_nat.c	2002/06/05 13:02:12
@@ -1157,7 +1157,7 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
 	hlen = tcp->th_off << 2;
 	if (hlen > sizeof(*tcp)) {
 		cp = (uint8_t *)tcp + sizeof(*tcp);
-		ep = cp + hlen;
+		ep = cp + hlen - sizeof(*tcp);
 
 		while (cp < ep) {
 			opt = cp[0];
@@ -1168,7 +1168,7 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
 				continue;
 			}
 
-			if (&cp[1] > ep)
+			if (&cp[1] >= ep)
 				break;
 			advance = cp[1];
 			if (&cp[advance] > ep)
@@ -1177,11 +1177,11 @@ tcp_mss_clamp(tcp, maxmss, fin, csump)
 			case TCPOPT_MAXSEG:
 				if (advance != 4)
 					break;
-				memcpy(&v, &cp[2], sizeof(mss));
+				memcpy(&v, &cp[2], sizeof(v));
 				mss = ntohs(v);
 				if (mss > maxmss) {
 					v = htons(maxmss);
-					memcpy(&cp[2], &v, sizeof(mss));
+					memcpy(&cp[2], &v, sizeof(v));
 					CALC_SUMD(mss, maxmss, sumd);
 					fix_outcksum(fin, csump, sumd);
 				}

----Next_Part(Wed_Jun__5_22:04:06_2002_268)----