Apply by doing
cd /usr/src
patch -p0 <023_ip_ah.patch
And then rebuild your kernel.
Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- sys/netinet/ip_ah.c 2000/11/17 04:15:42 1.45
+++ sys/netinet/ip_ah.c 2001/02/20 06:48:06 1.46
@@ -253,6 +253,17 @@
/* IPv4 option processing */
for (off = sizeof(struct ip); off < skip;)
{
+ if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
+ off + 1 < skip)
+ ;
+ else
+ {
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return EINVAL;
+ }
+
switch (ptr[off])
{
case IPOPT_EOL:
@@ -268,10 +279,10 @@
case 0x86: /* Commercial security */
case 0x94: /* Router alert */
case 0x95: /* RFC1770 */
- /* Sanity check for zero-length options */
- if (ptr[off + 1] == 0)
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
{
- DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off]));
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
ahstat.ahs_hdrops++;
m_freem(m);
return EINVAL;
@@ -282,6 +293,15 @@
case IPOPT_LSRR:
case IPOPT_SSRR:
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
+ {
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return EINVAL;
+ }
+
/*
* On output, if we have either of the source routing
* options, we should swap the destination address of
@@ -296,10 +316,10 @@
/* Fall through */
default:
- /* Sanity check for zero-length options */
- if (ptr[off + 1] == 0)
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
{
- DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off]));
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
ahstat.ahs_hdrops++;
m_freem(m);
return EINVAL;