make sure we always check dstoptlen < IP6OPT_MINLEN.

"options MIP6" was vulnerable.
kame · Feb 21, 2001 · 14f15d5 · 14f15d5
1 parent e0d71f3
commit 14f15d5
Showing 1 changed file with 6 additions and 14 deletions.
diff --git a/kame/sys/netinet6/dest6.c b/kame/sys/netinet6/dest6.c
@@ -1,4 +1,4 @@
-/*	$KAME: dest6.c,v 1.23 2001/01/23 13:32:26 itojun Exp $	*/
+/*	$KAME: dest6.c,v 1.24 2001/02/21 16:12:35 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -110,23 +110,19 @@ dest6_input(mp, offp, proto)
 
 	/* search header for all options. */
 	for (optlen = 0; dstoptlen > 0; dstoptlen -= optlen, opt += optlen) {
+		if (*opt != IP6OPT_PAD1 && dstoptlen < IP6OPT_MINLEN) {
+			ip6stat.ip6s_toosmall++;
+			goto bad;
+		}
+
 		switch (*opt) {
 		case IP6OPT_PAD1:
 			optlen = 1;
 			break;
 		case IP6OPT_PADN:
-			if (dstoptlen < IP6OPT_MINLEN) {
-				ip6stat.ip6s_toosmall++;
-				goto bad;
-			}
 			optlen = *(opt + 1) + 2;
 			break;
 		case IP6OPT_HOME_ADDRESS:
-			if (dstoptlen < sizeof(*haopt)) {
-				ip6stat.ip6s_toosmall++;
-				goto bad;
-			}
-
 #if 0
 			/* be picky about alignment: 8n+6 */
 			if ((opt - (u_int8_t *)dstopts) % 8 != 6)
@@ -187,10 +183,6 @@ dest6_input(mp, offp, proto)
 #endif /* MIP6 */
 
 		default:		/* unknown option */
-			if (dstoptlen < IP6OPT_MINLEN) {
-				ip6stat.ip6s_toosmall++;
-				goto bad;
-			}
 			optlen = ip6_unknown_opt(opt, m,
 			    opt - mtod(m, u_int8_t *));
 			if (optlen == -1)