Check the length of the ipv4 and ipv6 address lists. It must be less

than F_LEN_MASK. MFC after: 5 days
svn path=/head/; revision=162363
2006-09-16 19:27:40 +00:00 · 2006-09-16 19:27:40 +00:00 · 268f526c05 · 2020-12-20 02:59:44 +00:00
commit 268f526c05
parent 1190a85bef
1 changed files with 4 additions and 0 deletions
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -2859,6 +2859,8 @@ fill_ip(ipfw_insn_ip *cmd, char *av)
 	len += 2;	/* two words... */
 	d += 2;
    } /* end while */
+    if (len + 1 > F_LEN_MASK)
+	errx(EX_DATAERR, "address list too long");
    cmd->o.len |= len+1;
 }

@ -3010,6 +3012,8 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av)
 	 * Total length of the command, remember that 1 is the size of
 	 * the base command.
 	 */
+	if (len + 1 > F_LEN_MASK)
+		errx(EX_DATAERR, "address list too long");
 	cmd->o.len |= len+1;
 	free(av);
 	return (1);