2008-03-08 Ulrich Drepper <drepper@redhat.com>
* inet/inet6_opt.c (inet6_opt_init): Check extlen for overflow.
[BZ #5760]
* inet/inet6_opt.c (inet6_opt_init): Fix ip6h_len computation.
Patch by Roland Bless <roland@bless.de>.
--- libc/inet/inet6_opt.c 15 Mar 2007 20:04:17 -0000 1.2
+++ libc/inet/inet6_opt.c 8 Mar 2008 21:16:52 -0000 1.4
@@ -34,12 +34,16 @@ inet6_opt_init (void *extbuf, socklen_t
{
if (extbuf != NULL)
{
- if (extlen <= 0 || (extlen % 8) != 0)
+ if (extlen <= 0 || (extlen % 8) != 0 || extlen > 256 * 8)
return -1;
/* Fill in the length in units of 8 octets. */
struct ip6_hbh *extp = (struct ip6_hbh *) extbuf;
- extp->ip6h_len = extlen / 8;
+
+ /* RFC 2460 requires that the header extension length is the
+ length of the option header in 8-byte units, not including
+ the first 8 bytes. Hence we have to subtract one. */
+ extp->ip6h_len = extlen / 8 - 1;
}
return sizeof (struct ip6_hbh);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
2003d1abfa0c20ee77815f0da33e2c1c
>
files
>
74
