patch-2.0.26 linux/net/ipv4/icmp.c

• Lines: 50
• Date: Thu Nov 14 15:20:10 1996
• Orig file: v2.0.25/linux/net/ipv4/icmp.c
• Orig date: Wed Nov 13 11:26:23 1996

diff -u --recursive --new-file v2.0.25/linux/net/ipv4/icmp.c linux/net/ipv4/icmp.c
@@ -642,8 +642,15 @@
 	unsigned char *dp;	
 	int match_addr=0;
 	
+	if(len<sizeof(struct iphdr))
+		goto flush_it;
+		
 	iph = (struct iphdr *) (icmph + 1);
 	
+	len-=iph->ihl<<2;
+	if(len<0)
+		goto flush_it;
+	
 	dp= ((unsigned char *)iph)+(iph->ihl<<2);
 	
 	if(icmph->type==ICMP_DEST_UNREACH)
@@ -784,12 +791,13 @@
 			if (iph->protocol == ipprot->protocol && ipprot->err_handler) 
 			{
 				ipprot->err_handler(icmph->type, icmph->code, dp,
-					    iph->daddr, iph->saddr, ipprot);
+					    iph->daddr, iph->saddr, ipprot, len);
 			}
 
 			ipprot = nextip;
 		}
 	}
+flush_it:
 	kfree_skb(skb, FREE_READ);
 }
 
@@ -806,6 +814,9 @@
 	/*
 	 *	Get the copied header of the packet that caused the redirect
 	 */
+	
+	if(len<=sizeof(struct iphdr))
+		goto flush_it;
 	 
 	iph = (struct iphdr *) (icmph + 1);
 	ip = iph->daddr;
@@ -861,7 +872,7 @@
   	/*
   	 *	Discard the original packet
   	 */
-  	 
+flush_it:
   	kfree_skb(skb, FREE_READ);
 }