Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Oct 2015 17:55:37 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r290116 - head/sys/net
Message-ID:  <201510281755.t9SHtbJ1052751@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ae
Date: Wed Oct 28 17:55:37 2015
New Revision: 290116
URL: https://svnweb.freebsd.org/changeset/base/290116

Log:
  Check the size of data available in mbuf, before using them.
  
  PR:		202667
  MFC after:	1 week

Modified:
  head/sys/net/if_gre.c

Modified: head/sys/net/if_gre.c
==============================================================================
--- head/sys/net/if_gre.c	Wed Oct 28 16:31:04 2015	(r290115)
+++ head/sys/net/if_gre.c	Wed Oct 28 17:55:37 2015	(r290116)
@@ -691,6 +691,14 @@ gre_input(struct mbuf **mp, int *offp, i
 	KASSERT(sc != NULL, ("encap_getarg returned NULL"));
 
 	ifp = GRE2IFP(sc);
+	hlen = *offp + sizeof(struct grehdr) + 4 * sizeof(uint32_t);
+	if (m->m_pkthdr.len < hlen)
+		goto drop;
+	if (m->m_len < hlen) {
+		m = m_pullup(m, hlen);
+		if (m == NULL)
+			goto drop;
+	}
 	gh = (struct grehdr *)mtodo(m, *offp);
 	flags = ntohs(gh->gre_flags);
 	if (flags & ~GRE_FLAGS_MASK)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510281755.t9SHtbJ1052751>