Don't allow reassembly to create packets bigger than IP_MAXPACKET, and count

attempts to do so.
Don't allow users to source packets bigger than IP_MAXPACKET.
Make UDP length and ipovly's protocol length unsigned short.

Reviewed by:	wollman
Submitted by:	(partly by) kml@nas.nasa.gov (Kevin Lahey)
This commit is contained in:
Bill Fenner 1996-10-25 17:57:53 +00:00
parent 484141f666
commit 430d30d837
5 changed files with 32 additions and 8 deletions

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
* $Id: ip_input.c,v 1.48 1996/10/07 19:21:45 wollman Exp $
* $Id: ip_input.c,v 1.49 1996/10/22 22:25:58 sos Exp $
* $ANA: ip_input.c,v 1.5 1996/09/18 14:34:59 wollman Exp $
*/
@ -646,7 +646,17 @@ ip_reass(ip, fp)
return (0);
/*
* Reassembly is complete; concatenate fragments.
* Reassembly is complete. Make sure the packet is a sane size.
*/
if (next + (IP_VHL_HL(((struct ip *)fp->ipq_next)->ip_vhl) << 2)
> IP_MAXPACKET) {
ipstat.ips_toolong++;
ip_freef(fp);
return (0);
}
/*
* Concatenate fragments.
*/
q = fp->ipq_next;
m = dtom(q);

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)ip_var.h 8.2 (Berkeley) 1/9/95
* $Id: ip_var.h,v 1.22 1996/10/15 16:54:47 bde Exp $
* $Id: ip_var.h,v 1.23 1996/10/23 18:35:50 wollman Exp $
*/
#ifndef _NETINET_IP_VAR_H_
@ -44,7 +44,7 @@ struct ipovly {
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
u_char ih_x1; /* (unused) */
u_char ih_pr; /* protocol */
short ih_len; /* protocol length */
u_short ih_len; /* protocol length */
struct in_addr ih_src; /* source internet address */
struct in_addr ih_dst; /* destination internet address */
};
@ -146,6 +146,7 @@ struct ipstat {
u_long ips_noroute; /* packets discarded due to no route */
u_long ips_badvers; /* ip version != 4 */
u_long ips_rawout; /* total raw ip packets generated */
u_long ips_toolong; /* ip length > max ip packet size */
};
#ifdef KERNEL

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)raw_ip.c 8.7 (Berkeley) 5/15/95
* $Id: raw_ip.c,v 1.35 1996/08/27 20:52:27 sos Exp $
* $Id: raw_ip.c,v 1.36 1996/10/07 19:21:46 wollman Exp $
*/
#include <sys/param.h>
@ -165,6 +165,10 @@ rip_output(m, so, dst)
* Otherwise, allocate an mbuf for a header and fill it in.
*/
if ((inp->inp_flags & INP_HDRINCL) == 0) {
if (m->m_pkthdr.len + sizeof(struct ip) > IP_MAXPACKET) {
m_freem(m);
return(EMSGSIZE);
}
M_PREPEND(m, sizeof(struct ip), M_WAIT);
ip = mtod(m, struct ip *);
ip->ip_tos = 0;
@ -175,6 +179,10 @@ rip_output(m, so, dst)
ip->ip_dst.s_addr = dst;
ip->ip_ttl = MAXTTL;
} else {
if (m->m_pkthdr.len > IP_MAXPACKET) {
m_freem(m);
return(EMSGSIZE);
}
ip = mtod(m, struct ip *);
/* don't allow both user specified and setsockopt options,
and don't allow packet length sizes that will crash */

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)udp.h 8.1 (Berkeley) 6/10/93
* $Id: udp.h,v 1.2 1994/08/02 07:49:22 davidg Exp $
* $Id: udp.h,v 1.3 1994/08/21 05:27:41 paul Exp $
*/
#ifndef _NETINET_UDP_H_
@ -44,7 +44,7 @@
struct udphdr {
u_short uh_sport; /* source port */
u_short uh_dport; /* destination port */
short uh_ulen; /* udp length */
u_short uh_ulen; /* udp length */
u_short uh_sum; /* udp checksum */
};

View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95
* $Id: udp_usrreq.c,v 1.28 1996/06/08 08:19:03 bde Exp $
* $Id: udp_usrreq.c,v 1.29 1996/10/07 19:06:12 davidg Exp $
*/
#include <sys/param.h>
@ -445,6 +445,11 @@ udp_output(inp, m, addr, control)
if (control)
m_freem(control); /* XXX */
if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {
error = EMSGSIZE;
goto release;
}
if (addr) {
laddr = inp->inp_laddr;
if (inp->inp_faddr.s_addr != INADDR_ANY) {