diff options
| -rw-r--r-- | cpukit/ChangeLog | 6 | ||||
| -rw-r--r-- | cpukit/libnetworking/netinet/ip_icmp.c | 7 |
2 files changed, 10 insertions, 3 deletions
diff --git a/cpukit/ChangeLog b/cpukit/ChangeLog index c4d4c010ad..1e0398fbde 100644 --- a/cpukit/ChangeLog +++ b/cpukit/ChangeLog @@ -1,3 +1,9 @@ +2005-05-20 Eric Norum <norume@aps.anl.gov> + + PR 793/networking + * libnetworking/netinet/ip_icmp.c: Malicious ICMP packet causes panic. + Just ignore it. + 2005-05-18 Chris Johns <chrisj@rtems.org> * libmisc/capture/capture-cli.c: Fix the output of ctload when diff --git a/cpukit/libnetworking/netinet/ip_icmp.c b/cpukit/libnetworking/netinet/ip_icmp.c index ef3779c0cb..39020162b5 100644 --- a/cpukit/libnetworking/netinet/ip_icmp.c +++ b/cpukit/libnetworking/netinet/ip_icmp.c @@ -138,6 +138,10 @@ icmp_error(n, type, code, dest, destifp) /* Don't send error in response to a multicast or broadcast packet */ if (n->m_flags & (M_BCAST|M_MCAST)) goto freeit; + /* Don't send error in response to malicious packet */ + icmplen = min(oiplen + 8, oip->ip_len); + if (icmplen < sizeof(struct ip)) + goto freeit; /* * First, formulate icmp message */ @@ -147,9 +151,6 @@ icmp_error(n, type, code, dest, destifp) #ifdef MAC mac_create_mbuf_netlayer(n, m); #endif - icmplen = min(oiplen + 8, oip->ip_len); - if (icmplen < sizeof(struct ip)) - panic("icmp_error: bad length"); m->m_len = icmplen + ICMP_MINLEN; MH_ALIGN(m, m->m_len); icp = mtod(m, struct icmp *); |