diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index d5c904d66d8e..cfe1d4abf471 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.48 1996/10/07 19:21:45 wollman Exp $ + * $Id: ip_input.c,v 1.49 1996/10/22 22:25:58 sos Exp $ * $ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $ */ @@ -646,7 +646,17 @@ insert: return (0); /* - * Reassembly is complete; concatenate fragments. + * Reassembly is complete. Make sure the packet is a sane size. + */ + if (next + (IP_VHL_HL(((struct ip *)fp->ipq_next)->ip_vhl) << 2) + > IP_MAXPACKET) { + ipstat.ips_toolong++; + ip_freef(fp); + return (0); + } + + /* + * Concatenate fragments. */ q = fp->ipq_next; m = dtom(q); diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index d71008f3a79b..59b3df8795c7 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_var.h 8.2 (Berkeley) 1/9/95 - * $Id: ip_var.h,v 1.22 1996/10/15 16:54:47 bde Exp $ + * $Id: ip_var.h,v 1.23 1996/10/23 18:35:50 wollman Exp $ */ #ifndef _NETINET_IP_VAR_H_ @@ -44,7 +44,7 @@ struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ - short ih_len; /* protocol length */ + u_short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; @@ -146,6 +146,7 @@ struct ipstat { u_long ips_noroute; /* packets discarded due to no route */ u_long ips_badvers; /* ip version != 4 */ u_long ips_rawout; /* total raw ip packets generated */ + u_long ips_toolong; /* ip length > max ip packet size */ }; #ifdef KERNEL diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index f55f7b4633af..21ef2f93aaea 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 - * $Id: raw_ip.c,v 1.35 1996/08/27 20:52:27 sos Exp $ + * $Id: raw_ip.c,v 1.36 1996/10/07 19:21:46 wollman Exp $ */ #include @@ -165,6 +165,10 @@ rip_output(m, so, dst) * Otherwise, allocate an mbuf for a header and fill it in. */ if ((inp->inp_flags & INP_HDRINCL) == 0) { + if (m->m_pkthdr.len + sizeof(struct ip) > IP_MAXPACKET) { + m_freem(m); + return(EMSGSIZE); + } M_PREPEND(m, sizeof(struct ip), M_WAIT); ip = mtod(m, struct ip *); ip->ip_tos = 0; @@ -175,6 +179,10 @@ rip_output(m, so, dst) ip->ip_dst.s_addr = dst; ip->ip_ttl = MAXTTL; } else { + if (m->m_pkthdr.len > IP_MAXPACKET) { + m_freem(m); + return(EMSGSIZE); + } ip = mtod(m, struct ip *); /* don't allow both user specified and setsockopt options, and don't allow packet length sizes that will crash */ diff --git a/sys/netinet/udp.h b/sys/netinet/udp.h index d47ea918a458..3aeb522978a4 100644 --- a/sys/netinet/udp.h +++ b/sys/netinet/udp.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)udp.h 8.1 (Berkeley) 6/10/93 - * $Id: udp.h,v 1.2 1994/08/02 07:49:22 davidg Exp $ + * $Id: udp.h,v 1.3 1994/08/21 05:27:41 paul Exp $ */ #ifndef _NETINET_UDP_H_ @@ -44,7 +44,7 @@ struct udphdr { u_short uh_sport; /* source port */ u_short uh_dport; /* destination port */ - short uh_ulen; /* udp length */ + u_short uh_ulen; /* udp length */ u_short uh_sum; /* udp checksum */ }; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 0d6994f760f2..4c3c62f27ffc 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95 - * $Id: udp_usrreq.c,v 1.28 1996/06/08 08:19:03 bde Exp $ + * $Id: udp_usrreq.c,v 1.29 1996/10/07 19:06:12 davidg Exp $ */ #include @@ -445,6 +445,11 @@ udp_output(inp, m, addr, control) if (control) m_freem(control); /* XXX */ + if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) { + error = EMSGSIZE; + goto release; + } + if (addr) { laddr = inp->inp_laddr; if (inp->inp_faddr.s_addr != INADDR_ANY) {