From 1c5a93032832712afc56c1f378208c802f7b2558 Mon Sep 17 00:00:00 2001 From: florian Date: Thu, 1 Dec 2022 07:11:17 +0000 Subject: [PATCH] Make sure the length of an unknown IP option is sensible. For example, an unknown option with length 0 would result in an infinite loop. bluhm points out that the network stack in the kernel would not let such packets through to userland. tweak & OK miod OK bluhm --- sbin/ping/ping.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index fb31365ad31..38b97a81540 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ping.c,v 1.246 2022/02/21 03:50:46 jmatthew Exp $ */ +/* $OpenBSD: ping.c,v 1.247 2022/12/01 07:11:17 florian Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -1525,8 +1525,11 @@ pr_ipopt(int hlen, u_char *buf) break; default: printf("\nunknown option %x", *cp); - hlen = hlen - (cp[IPOPT_OLEN] - 1); - cp = cp + (cp[IPOPT_OLEN] - 1); + if (cp[IPOPT_OLEN] > 0 && cp[IPOPT_OLEN] < hlen) { + hlen = hlen - (cp[IPOPT_OLEN] - 1); + cp = cp + (cp[IPOPT_OLEN] - 1); + } else + hlen = 0; break; } } -- 2.20.1