[2412] in linux-net channel archive
Re: Frozen linux 1.3.84
daemon@ATHENA.MIT.EDU (Rob Janssen reading Linux mailingl)
Mon Apr 8 19:10:12 1996
From: linux@pe1chl.ampr.org (Rob Janssen reading Linux mailinglist)
To: torvalds@cs.helsinki.fi (Linus Torvalds)
Date: Mon, 8 Apr 1996 23:15:49 +0200 (MET DST)
Cc: avalon@coombs.anu.edu.au, linux-kernel@vger.rutgers.edu,
linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960408164958.1996D-100000@linux.cs.Helsinki.FI> from "Linus Torvalds" at Apr 8, 96 04:55:16 pm
Reply-To: linux-vger@wab-tis.rabobank.nl
According to Linus Torvalds:
> > Consider the case when the packet has an option length of 0 for an
> > option which falls into the "default" case but the packet claims to
> > have (say) 8 bytes of IP options.
>
> Right. Does the lockup go away if you add a test for zero optlen in
> ip_options.c, line 277. Pseudo-patch:
>
> continue;
> }
> optlen = optptr[1];
> - if (l<2 || optlen>l)
> + if (l<2 || optlen>l || !optlen)
> {
> pp_ptr = optptr;
> break;
>
> (or something to that effect..) Does that fix it?
>
> Linus
In fact, value 1 is illegal for optlen as well. "optlen < 2" is
a better check.
(the option length includes the option byte and the length field itself)
Rob
--
+------------------------------------+--------------------------------------+
| Rob Janssen rob@knoware.nl | BBS: +31-302870036 (2300-0730 local) |
| AMPRnet: rob@pe1chl.ampr.org | AX.25 BBS: PE1CHL@PI8WNO.#UTR.NLD.EU |
+------------------------------------+--------------------------------------+
