reference in RFCs about what a correct limit should be, but FreeBSD already
uses 15.
If an IPv6 packet has 50 options, there is clearly something wrong with it.
- use ${G_OBJS} directly, it avoids issues with .c vs .cc files.
- add a method to not rm -rf .ab for inspection.
- fix and add missing depends for many things.
- use -Wno-error for mips and arm insn-recog.c, due to eg:
insn-recog.c:10304:7: error: this decimal constant is unsigned only in ISO C90 [-Werror]
mips.md:3474:11: error: this decimal constant is unsigned only in ISO C90 [-Werror]
arm armeb earm earmeb earmhf earmhfeb earmv4eb earmv6 earmv6eb
earmv6hf earmv6hfeb earmv7 earmv7eb earmv7hf earmv7hfeb
mipsel, ppc64 and ia64 didn't work properly this time, and vax
has a problem with libstdc++.
* Add a KASSERT in ip_output(), we expect (at least) the IP header to be
here.
* In ip_fragment(), declare two variables instead of recomputing the
values each time. Add an XXX for ipoff, it seems to me we should also
remove IP_RF.
* Rename the arguments of ip_optcopy().
* Style: use NULL for pointers, remove ()s for return statements, and
add whitespaces for clarity.
No real functional change.
fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.
But there is an integer overflow that can happen a little earlier. We
are doing:
i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
ntohs(ip->ip_off);
[...]
ip->ip_off = htons(ntohs(ip->ip_off) + i);
It is possible that
ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535
so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.
With the new check, it is guaranteed that ip_off+ip_len<=65535.
pgoyette