2008-03-08 Ulrich Drepper <drepper@redhat.com> * inet/inet6_opt.c (inet6_opt_init): Check extlen for overflow. [BZ #5760] * inet/inet6_opt.c (inet6_opt_init): Fix ip6h_len computation. Patch by Roland Bless <roland@bless.de>. --- libc/inet/inet6_opt.c 15 Mar 2007 20:04:17 -0000 1.2 +++ libc/inet/inet6_opt.c 8 Mar 2008 21:16:52 -0000 1.4 @@ -34,12 +34,16 @@ inet6_opt_init (void *extbuf, socklen_t { if (extbuf != NULL) { - if (extlen <= 0 || (extlen % 8) != 0) + if (extlen <= 0 || (extlen % 8) != 0 || extlen > 256 * 8) return -1; /* Fill in the length in units of 8 octets. */ struct ip6_hbh *extp = (struct ip6_hbh *) extbuf; - extp->ip6h_len = extlen / 8; + + /* RFC 2460 requires that the header extension length is the + length of the option header in 8-byte units, not including + the first 8 bytes. Hence we have to subtract one. */ + extp->ip6h_len = extlen / 8 - 1; } return sizeof (struct ip6_hbh);