From d49c6b9957f582865e3b14a12dc9021e40852a81 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Wed, 8 Mar 2023 23:17:02 +0000
Subject: [PATCH] An invalid source routing IP option could overwrite kernel
 memory by using a bad option length.  This bug is only reachable if both pf
 IP option check is disabled and IP source routing is enabled. reported by
 @fuzzingrf Erg Noor OK claudio@ deraadt@

---
 sys/netinet/ip_input.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 37c18d2efb2..07dde2897c5 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.381 2022/08/29 14:43:56 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.382 2023/03/08 23:17:02 bluhm Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -1156,6 +1156,10 @@ ip_dooptions(struct mbuf *m, struct ifnet *ifp)
 				code = ICMP_UNREACH_SRCFAIL;
 				goto bad;
 			}
+			if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
+				code = &cp[IPOPT_OLEN] - (u_char *)ip;
+				goto bad;
+			}
 			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
 				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
 				goto bad;
-- 
2.20.1