make validation code more strict for ND6/dest6 variable length headers.
check duplicated nd6_ifinfo table initialization in a better way. sync with kame
This commit is contained in:
itojun
parent
e0a4623854
commit
e1e316562b
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: dest6.c,v 1.8 2001/01/23 05:21:23 itojun Exp $ */
|
||||
/* $KAME: dest6.c,v 1.14 2001/01/23 05:16:28 itojun Exp $ */
|
||||
/* $NetBSD: dest6.c,v 1.9 2001/02/21 17:23:09 itojun Exp $ */
|
||||
/* $KAME: dest6.c,v 1.24 2001/02/21 16:12:35 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -89,22 +89,19 @@ dest6_input(mp, offp, proto)
|
||||
|
||||
/* search header for all options. */
|
||||
for (optlen = 0; dstoptlen > 0; dstoptlen -= optlen, opt += optlen) {
|
||||
if (*opt != IP6OPT_PAD1 && dstoptlen < IP6OPT_MINLEN) {
|
||||
ip6stat.ip6s_toosmall++;
|
||||
goto bad;
|
||||
}
|
||||
|
||||
switch (*opt) {
|
||||
case IP6OPT_PAD1:
|
||||
optlen = 1;
|
||||
break;
|
||||
case IP6OPT_PADN:
|
||||
if (dstoptlen < IP6OPT_MINLEN) {
|
||||
ip6stat.ip6s_toosmall++;
|
||||
goto bad;
|
||||
}
|
||||
optlen = *(opt + 1) + 2;
|
||||
break;
|
||||
default: /* unknown option */
|
||||
if (dstoptlen < IP6OPT_MINLEN) {
|
||||
ip6stat.ip6s_toosmall++;
|
||||
goto bad;
|
||||
}
|
||||
optlen = ip6_unknown_opt(opt, m,
|
||||
opt - mtod(m, u_int8_t *));
|
||||
if (optlen == -1)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: nd6.c,v 1.39 2001/02/21 16:28:43 itojun Exp $ */
|
||||
/* $KAME: nd6.c,v 1.118 2001/02/08 12:14:33 itojun Exp $ */
|
||||
/* $NetBSD: nd6.c,v 1.40 2001/02/21 17:23:09 itojun Exp $ */
|
||||
/* $KAME: nd6.c,v 1.131 2001/02/21 16:28:18 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -172,8 +172,14 @@ nd6_ifattach(ifp)
|
||||
|
||||
#define ND nd_ifinfo[ifp->if_index]
|
||||
|
||||
/* don't initialize if called twice */
|
||||
if (ND.linkmtu)
|
||||
/*
|
||||
* Don't initialize if called twice.
|
||||
* XXX: to detect this, we should choose a member that is never set
|
||||
* before initialization of the ND structure itself. We formaly used
|
||||
* the linkmtu member, which was not suitable because it could be
|
||||
* initialized via "ifconfig mtu".
|
||||
*/
|
||||
if (ND.basereachable)
|
||||
return;
|
||||
|
||||
ND.linkmtu = ifindex2ifnet[ifp->if_index]->if_mtu;
|
||||
@ -199,7 +205,7 @@ nd6_setmtu(ifp)
|
||||
u_long oldmaxmtu = ndi->maxmtu;
|
||||
u_long oldlinkmtu = ndi->linkmtu;
|
||||
|
||||
switch(ifp->if_type) {
|
||||
switch (ifp->if_type) {
|
||||
case IFT_ARCNET: /* XXX MTU handling needs more work */
|
||||
ndi->maxmtu = MIN(60480, ifp->if_mtu);
|
||||
break;
|
||||
@ -281,6 +287,12 @@ nd6_option(ndopts)
|
||||
|
||||
nd_opt = ndopts->nd_opts_search;
|
||||
|
||||
/* make sure nd_opt_len is inside the buffer */
|
||||
if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
|
||||
bzero(ndopts, sizeof(*ndopts));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
olen = nd_opt->nd_opt_len << 3;
|
||||
if (olen == 0) {
|
||||
/*
|
||||
@ -292,7 +304,12 @@ nd6_option(ndopts)
|
||||
}
|
||||
|
||||
ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
|
||||
if (!(ndopts->nd_opts_search < ndopts->nd_opts_last)) {
|
||||
if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
|
||||
/* option overruns the end of buffer, invalid */
|
||||
bzero(ndopts, sizeof(*ndopts));
|
||||
return NULL;
|
||||
} else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
|
||||
/* reached the end of options chain */
|
||||
ndopts->nd_opts_done = 1;
|
||||
ndopts->nd_opts_search = NULL;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user