diff options
Diffstat (limited to 'pfinet/linux-src/net/ipv4/ip_input.c')
| -rw-r--r-- | pfinet/linux-src/net/ipv4/ip_input.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/pfinet/linux-src/net/ipv4/ip_input.c b/pfinet/linux-src/net/ipv4/ip_input.c index b1725fa3..545f093c 100644 --- a/pfinet/linux-src/net/ipv4/ip_input.c +++ b/pfinet/linux-src/net/ipv4/ip_input.c @@ -97,6 +97,7 @@ * Alan Cox : Multicast routing hooks * Jos Vos : Do accounting *before* call_in_firewall * Willy Konynenberg : Transparent proxying support + * Stephan Uphoff : Check IP header length field * * * @@ -421,6 +422,10 @@ int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt) if (skb->len < sizeof(struct iphdr)) goto inhdr_error; + + if (skb->len < (iph->ihl << 2)) + goto inhdr_error; + if (iph->ihl < 5 || iph->version != 4 || ip_fast_csum((u8 *)iph, iph->ihl) != 0) goto inhdr_error; @@ -429,6 +434,9 @@ int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt) if (skb->len < len) goto inhdr_error; + if (len < (iph->ihl << 2)) + goto inhdr_error; + /* * Our transport medium may have padded the buffer out. Now we know it * is IP we can trim to the true length of the frame. |