From 59bbc2199e18d0e00ca19568d7b1bf02dad27312 Mon Sep 17 00:00:00 2001 From: thorpej Date: Fri, 25 Oct 1996 06:33:36 +0000 Subject: [PATCH] In rip_output(), sanity check the length of the packet to be transmitted. If it's larger than IP_MAXPACKET, return an error condition. Based on a patch from Bill Fenner --- sys/netinet/raw_ip.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index c675cec7ab39..3b129b1f7e27 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip.c,v 1.34 1996/09/16 17:45:17 mycroft Exp $ */ +/* $NetBSD: raw_ip.c,v 1.35 1996/10/25 06:33:36 thorpej Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -178,6 +178,10 @@ rip_output(m, va_alist) * Otherwise, allocate an mbuf for a header and fill it in. */ if ((inp->inp_flags & INP_HDRINCL) == 0) { + if ((m->m_pkthdr.len + sizeof(struct ip)) > IP_MAXPACKET) { + m_freem(m); + return (EMSGSIZE); + } M_PREPEND(m, sizeof(struct ip), M_WAIT); ip = mtod(m, struct ip *); ip->ip_tos = 0; @@ -189,6 +193,10 @@ rip_output(m, va_alist) ip->ip_ttl = MAXTTL; opts = inp->inp_options; } else { + if (m->m_pkthdr.len > IP_MAXPACKET) { + m_freem(m); + return (EMSGSIZE); + } ip = mtod(m, struct ip *); if (ip->ip_id == 0) ip->ip_id = htons(ip_id++);