Check the size of data available in mbuf, before using them.

author ae <ae@FreeBSD.org>

Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)

committer ae <ae@FreeBSD.org>

Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)
author ae <ae@FreeBSD.org>
Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)
committer ae <ae@FreeBSD.org>
Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)
diff --git a/sys/net/if_gre.c b/sys/net/if_gre.c

index ffd94d831b080df22f7d9cdc4719f195554d3892..24ed971135c2be5be52c0758c7b2cabe2a793df7 100644 (file)
--- a/sys/net/if_gre.c
+++ b/sys/net/if_gre.c
@@ -691,6 +691,14 @@ gre_input(struct mbuf **mp, int *offp, int proto)
         KASSERT(sc != NULL, ("encap_getarg returned NULL"));
  
         ifp = GRE2IFP(sc);
+       hlen = *offp + sizeof(struct grehdr) + 4 * sizeof(uint32_t);
+       if (m->m_pkthdr.len < hlen)
+               goto drop;
+       if (m->m_len < hlen) {
+               m = m_pullup(m, hlen);
+               if (m == NULL)
+                       goto drop;
+       }
         gh = (struct grehdr *)mtodo(m, *offp);
         flags = ntohs(gh->gre_flags);
         if (flags & ~GRE_FLAGS_MASK)
author	ae <ae@FreeBSD.org>
	Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)
committer	ae <ae@FreeBSD.org>
	Wed, 28 Oct 2015 17:55:37 +0000 (17:55 +0000)