Disallow writing raw IP packets shorter than the IP header.

svn path=/head/; revision=26008
2024-11-16 15:44:04 +01:00 · 1997-05-22 20:52:56 +00:00 · 1997-05-22 20:52:56 +00:00 · 911089957e · 2020-12-20 02:59:44 +00:00
commit 911089957e
parent 6bca557688
1 changed files with 3 additions and 2 deletions
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ip.c,v 1.44 1997/04/03 05:14:43 davidg Exp $
+ *	$Id: raw_ip.c,v 1.45 1997/04/27 20:01:10 wollman Exp $
 */

 #include <sys/param.h>
@ -203,7 +203,8 @@ rip_output(m, so, dst)
 		   and don't allow packet length sizes that will crash */
 		if (((IP_VHL_HL(ip->ip_vhl) != (sizeof (*ip) >> 2)) 
 		     && inp->inp_options)
-		    || (ip->ip_len > m->m_pkthdr.len)) {
+		    || (ip->ip_len > m->m_pkthdr.len)
+		    || (ip->ip_len < (IP_VHL_HL(ip->ip_vhl) << 2))) {
 			m_freem(m);
 			return EINVAL;
 		}