Module Name: src
Committed By: kefren
Date: Fri Jul 2 12:13:11 UTC 2010
Modified Files:
src/usr.sbin/traceroute: traceroute.c
Log Message:
Fix incomplete extensions sanity checks
To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/usr.sbin/traceroute/traceroute.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/traceroute/traceroute.c
diff -u src/usr.sbin/traceroute/traceroute.c:1.74 src/usr.sbin/traceroute/traceroute.c:1.75
--- src/usr.sbin/traceroute/traceroute.c:1.74 Mon Jul 21 13:37:00 2008
+++ src/usr.sbin/traceroute/traceroute.c Fri Jul 2 12:13:11 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: traceroute.c,v 1.74 2008/07/21 13:37:00 lukem Exp $ */
+/* $NetBSD: traceroute.c,v 1.75 2010/07/02 12:13:11 kefren Exp $ */
/*
* Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996, 1997
@@ -29,7 +29,7 @@
#else
__COPYRIGHT("@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996, 1997\
The Regents of the University of California. All rights reserved.");
-__RCSID("$NetBSD: traceroute.c,v 1.74 2008/07/21 13:37:00 lukem Exp $");
+__RCSID("$NetBSD: traceroute.c,v 1.75 2010/07/02 12:13:11 kefren Exp $");
#endif
#endif
@@ -1128,7 +1128,8 @@
ip = (struct ip *)buf;
- if (ip_len <= sizeof(struct ip) + ICMP_EXT_OFFSET) {
+ if (ip_len < (ip->ip_hl << 2) + ICMP_EXT_OFFSET +
+ sizeof(struct icmp_ext_cmn_hdr)) {
/*
* No support for ICMP extensions on this host
*/
@@ -1166,16 +1167,15 @@
buf += sizeof(*cmn_hdr);
datalen -= sizeof(*cmn_hdr);
- while (datalen > 0) {
+ while (datalen >= sizeof(struct icmp_ext_obj_hdr)) {
obj_hdr = (struct icmp_ext_obj_hdr *)buf;
obj_len = ntohs(obj_hdr->length);
/*
* Sanity check the length field
*/
- if (obj_len > datalen) {
+ if (obj_len > datalen)
return;
- }
datalen -= obj_len;
