From 05aef634e75638d164c359367311b66de6e9ce86 Mon Sep 17 00:00:00 2001
From: keiichi <keiichi>
Date: Tue, 13 Feb 2007 02:17:02 +0000
Subject: [PATCH] added msglen validation for mipsock output.

---
 kame/sys/net/mipsock.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/kame/sys/net/mipsock.c b/kame/sys/net/mipsock.c
index 062a8f703e..6bf59ab63e 100644
--- a/kame/sys/net/mipsock.c
+++ b/kame/sys/net/mipsock.c
@@ -1,4 +1,4 @@
-/* $Id: mipsock.c,v 1.25 2007/01/26 09:50:56 keiichi Exp $ */
+/* $Id: mipsock.c,v 1.26 2007/02/13 02:17:02 keiichi Exp $ */
 
 /*
  * Copyright (C) 2004 WIDE Project.
@@ -392,7 +392,7 @@ mips_output(m, va_alist)
 #endif
 #endif
 {
-	int error = 0;
+	int len, error = 0;
 	struct mip_msghdr *miph = NULL;
 	struct mipm_bc_info *mipc = NULL;
 	struct mipm_nodetype_info *mipmni = NULL;
@@ -406,6 +406,16 @@ mips_output(m, va_alist)
 	u_int16_t bid = 0;
 
 #define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
+	if (m == 0 || ((m->m_len < sizeof(int32_t)) &&
+	    (m = m_pullup(m, sizeof(int32_t))) == 0))
+		return (ENOBUFS);
+	if ((m->m_flags & M_PKTHDR) == 0)
+		panic("mips_output");
+	len = m->m_pkthdr.len;
+	if (len < sizeof(struct mip_msghdr) ||
+	    len != mtod(m, struct mip_msghdr *)->miph_msglen) {
+		senderr(EINVAL);
+	}
 	miph = mtod(m, struct mip_msghdr *);
 
 	/*