Permalink
Browse files

avoided possible overflow in ip6_insert_jumboopt()

(it's not a real threat with the typical value of MCLBYTES, though).
  • Loading branch information...
1 parent b6354a7 commit 5b919b702a894dcd22bbc3a27a7158e338b0b51f jinmei committed Feb 12, 2006
Showing with 7 additions and 1 deletion.
  1. +7 −1 kame/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/* $KAME: ip6_output.c,v 1.480 2006/02/11 14:53:19 jinmei Exp $ */
+/* $KAME: ip6_output.c,v 1.481 2006/02/12 14:53:52 jinmei Exp $ */
/*
* Copyright (c) 2002 INRIA. All rights reserved.
@@ -1765,6 +1765,12 @@ ip6_insert_jumboopt(exthdrs, plen)
struct ip6_hbh *hbh;
mopt = exthdrs->ip6e_hbh;
+ hbh = mtod(mopt, struct ip6_hbh *);
+ if (hbh->ip6h_len == 255) {
+ /* There is no room for another option. */
+ return (EMSGSIZE);
+ }
+
if (M_TRAILINGSPACE(mopt) < JUMBOOPTLEN) {
/*
* XXX assumption:

0 comments on commit 5b919b7

Please sign in to comment.