2005-05-20 Eric Norum <norume@aps.anl.gov>

PR 793/networking * libnetworking/netinet/ip_icmp.c: Malicious ICMP packet causes panic. Just ignore it.
author: Joel Sherrill <joel.sherrill@OARcorp.com> 2005-05-20 18:56:42 +0000
committer: Joel Sherrill <joel.sherrill@OARcorp.com> 2005-05-20 18:56:42 +0000
commit: 4e8c729f7fad78eaef465f0b49abc853c8bdd966 (patch)
tree: 88de71fd53b2a54bb4612ced99fe77a7076b1cee /cpukit/libnetworking
parent: 2005-05-20 Ralf Corsepius <ralf.corsepius@rtems.org> (diff)
download: rtems-4e8c729f7fad78eaef465f0b49abc853c8bdd966.tar.bz2
1 files changed, 4 insertions, 3 deletions
diff --git a/cpukit/libnetworking/netinet/ip_icmp.c b/cpukit/libnetworking/netinet/ip_icmp.c
index ef3779c0cb..39020162b5 100644
--- a/cpukit/libnetworking/netinet/ip_icmp.c
+++ b/cpukit/libnetworking/netinet/ip_icmp.c
@@ -138,6 +138,10 @@ icmp_error(n, type, code, dest, destifp)
 	/* Don't send error in response to a multicast or broadcast packet */
 	if (n->m_flags & (M_BCAST|M_MCAST))
 		goto freeit;
+    /* Don't send error in response to malicious packet */
+	icmplen = min(oiplen + 8, oip->ip_len);
+	if (icmplen < sizeof(struct ip))
+		goto freeit;
 	/*
 	 * First, formulate icmp message
 	 */
@@ -147,9 +151,6 @@ icmp_error(n, type, code, dest, destifp)
 #ifdef MAC
 	mac_create_mbuf_netlayer(n, m);
 #endif
-	icmplen = min(oiplen + 8, oip->ip_len);
-	if (icmplen < sizeof(struct ip))
-		panic("icmp_error: bad length");
 	m->m_len = icmplen + ICMP_MINLEN;
 	MH_ALIGN(m, m->m_len);
 	icp = mtod(m, struct icmp *);
author	Joel Sherrill <joel.sherrill@OARcorp.com>	2005-05-20 18:56:42 +0000
committer	Joel Sherrill <joel.sherrill@OARcorp.com>	2005-05-20 18:56:42 +0000
commit	4e8c729f7fad78eaef465f0b49abc853c8bdd966 (patch)
tree	88de71fd53b2a54bb4612ced99fe77a7076b1cee /cpukit/libnetworking
parent	2005-05-20 Ralf Corsepius <ralf.corsepius@rtems.org> (diff)
download	rtems-4e8c729f7fad78eaef465f0b49abc853c8bdd966.tar.bz2