Don't allow reassembly to create packets bigger than IP_MAXPACKET, and count
attempts to do so. Don't allow users to source packets bigger than IP_MAXPACKET. Make UDP length and ipovly's protocol length unsigned short. Reviewed by: wollman Submitted by: (partly by) kml@nas.nasa.gov (Kevin Lahey)
This commit is contained in:
parent
484141f666
commit
430d30d837
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: ip_input.c,v 1.48 1996/10/07 19:21:45 wollman Exp $
|
||||
* $Id: ip_input.c,v 1.49 1996/10/22 22:25:58 sos Exp $
|
||||
* $ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $
|
||||
*/
|
||||
|
||||
@ -646,7 +646,17 @@ ip_reass(ip, fp)
|
||||
return (0);
|
||||
|
||||
/*
|
||||
* Reassembly is complete; concatenate fragments.
|
||||
* Reassembly is complete. Make sure the packet is a sane size.
|
||||
*/
|
||||
if (next + (IP_VHL_HL(((struct ip *)fp->ipq_next)->ip_vhl) << 2)
|
||||
> IP_MAXPACKET) {
|
||||
ipstat.ips_toolong++;
|
||||
ip_freef(fp);
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Concatenate fragments.
|
||||
*/
|
||||
q = fp->ipq_next;
|
||||
m = dtom(q);
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_var.h 8.2 (Berkeley) 1/9/95
|
||||
* $Id: ip_var.h,v 1.22 1996/10/15 16:54:47 bde Exp $
|
||||
* $Id: ip_var.h,v 1.23 1996/10/23 18:35:50 wollman Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NETINET_IP_VAR_H_
|
||||
@ -44,7 +44,7 @@ struct ipovly {
|
||||
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
|
||||
u_char ih_x1; /* (unused) */
|
||||
u_char ih_pr; /* protocol */
|
||||
short ih_len; /* protocol length */
|
||||
u_short ih_len; /* protocol length */
|
||||
struct in_addr ih_src; /* source internet address */
|
||||
struct in_addr ih_dst; /* destination internet address */
|
||||
};
|
||||
@ -146,6 +146,7 @@ struct ipstat {
|
||||
u_long ips_noroute; /* packets discarded due to no route */
|
||||
u_long ips_badvers; /* ip version != 4 */
|
||||
u_long ips_rawout; /* total raw ip packets generated */
|
||||
u_long ips_toolong; /* ip length > max ip packet size */
|
||||
};
|
||||
|
||||
#ifdef KERNEL
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)raw_ip.c 8.7 (Berkeley) 5/15/95
|
||||
* $Id: raw_ip.c,v 1.35 1996/08/27 20:52:27 sos Exp $
|
||||
* $Id: raw_ip.c,v 1.36 1996/10/07 19:21:46 wollman Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -165,6 +165,10 @@ rip_output(m, so, dst)
|
||||
* Otherwise, allocate an mbuf for a header and fill it in.
|
||||
*/
|
||||
if ((inp->inp_flags & INP_HDRINCL) == 0) {
|
||||
if (m->m_pkthdr.len + sizeof(struct ip) > IP_MAXPACKET) {
|
||||
m_freem(m);
|
||||
return(EMSGSIZE);
|
||||
}
|
||||
M_PREPEND(m, sizeof(struct ip), M_WAIT);
|
||||
ip = mtod(m, struct ip *);
|
||||
ip->ip_tos = 0;
|
||||
@ -175,6 +179,10 @@ rip_output(m, so, dst)
|
||||
ip->ip_dst.s_addr = dst;
|
||||
ip->ip_ttl = MAXTTL;
|
||||
} else {
|
||||
if (m->m_pkthdr.len > IP_MAXPACKET) {
|
||||
m_freem(m);
|
||||
return(EMSGSIZE);
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
/* don't allow both user specified and setsockopt options,
|
||||
and don't allow packet length sizes that will crash */
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)udp.h 8.1 (Berkeley) 6/10/93
|
||||
* $Id: udp.h,v 1.2 1994/08/02 07:49:22 davidg Exp $
|
||||
* $Id: udp.h,v 1.3 1994/08/21 05:27:41 paul Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NETINET_UDP_H_
|
||||
@ -44,7 +44,7 @@
|
||||
struct udphdr {
|
||||
u_short uh_sport; /* source port */
|
||||
u_short uh_dport; /* destination port */
|
||||
short uh_ulen; /* udp length */
|
||||
u_short uh_ulen; /* udp length */
|
||||
u_short uh_sum; /* udp checksum */
|
||||
};
|
||||
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95
|
||||
* $Id: udp_usrreq.c,v 1.28 1996/06/08 08:19:03 bde Exp $
|
||||
* $Id: udp_usrreq.c,v 1.29 1996/10/07 19:06:12 davidg Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -445,6 +445,11 @@ udp_output(inp, m, addr, control)
|
||||
if (control)
|
||||
m_freem(control); /* XXX */
|
||||
|
||||
if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {
|
||||
error = EMSGSIZE;
|
||||
goto release;
|
||||
}
|
||||
|
||||
if (addr) {
|
||||
laddr = inp->inp_laddr;
|
||||
if (inp->inp_faddr.s_addr != INADDR_ANY) {
|
||||
|
Loading…
Reference in New Issue
Block a user