An invalid source routing IP option could overwrite kernel memory

by using a bad option length.  This bug is only reachable if both
pf IP option check is disabled and IP source routing is enabled.
reported by @fuzzingrf Erg Noor
OK claudio@ deraadt@

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 37c18d2..07dde28 100644 (file)
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_input.c,v 1.381 2022/08/29 14:43:56 bluhm Exp $    */
+/*     $OpenBSD: ip_input.c,v 1.382 2023/03/08 23:17:02 bluhm Exp $    */
 /*     $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $   */
 
 /*
@@ -1156,6 +1156,10 @@ ip_dooptions(struct mbuf *m, struct ifnet *ifp)
                                code = ICMP_UNREACH_SRCFAIL;
                                goto bad;
                        }
+                       if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
+                               code = &cp[IPOPT_OLEN] - (u_char *)ip;
+                               goto bad;
+                       }
                        if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
                                code = &cp[IPOPT_OFFSET] - (u_char *)ip;
                                goto bad;