patch-2.1.11 linux/net/ipv4/icmp.c

• Lines: 50
• Date: Mon Nov 18 11:31:35 1996
• Orig file: v2.1.10/linux/net/ipv4/icmp.c
• Orig date: Fri Nov 15 23:49:11 1996

diff -u --recursive --new-file v2.1.10/linux/net/ipv4/icmp.c linux/net/ipv4/icmp.c
@@ -643,9 +643,16 @@
 	struct inet_protocol *ipprot;
 	unsigned char *dp;	
 	__u32 info = 0;
+	
+	if(len<sizeof(struct iphdr))
+		goto flush_it;
 
 	iph = (struct iphdr *) (icmph + 1);
 	
+	len-=iph->ihl<<2;
+	if(len<0)
+		goto flush_it;
+	
 	dp= ((unsigned char *)iph)+(iph->ihl<<2);
 	
 	if(icmph->type==ICMP_DEST_UNREACH)
@@ -778,11 +785,12 @@
 		if (iph->protocol == ipprot->protocol && ipprot->err_handler) 
 		{
 			ipprot->err_handler(icmph->type, icmph->code, dp, info,
-					    iph->daddr, iph->saddr, ipprot);
+					    iph->daddr, iph->saddr, ipprot, len);
 		}
 
 		ipprot = nextip;
   	}
+flush_it:
 	kfree_skb(skb, FREE_READ);
 }
 
@@ -799,6 +807,9 @@
 	/*
 	 *	Get the copied header of the packet that caused the redirect
 	 */
+	
+	if(len<=sizeof(struct iphdr))
+		goto flush_it;
 	 
 	iph = (struct iphdr *) (icmph + 1);
 	ip = iph->daddr;
@@ -854,7 +865,7 @@
   	/*
   	 *	Discard the original packet
   	 */
-  	 
+flush_it:
   	kfree_skb(skb, FREE_READ);
 }