Commit 427f850f authored by David S. Miller's avatar David S. Miller

Merge nuts.davemloft.net:/disk1/BK/nfwork-2.6

into nuts.davemloft.net:/disk1/BK/nf-2.6
parents d90349aa 1fbe8eb8
......@@ -1529,11 +1529,16 @@ tcp_match(const struct sk_buff *skb,
== tcpinfo->flg_cmp,
IPT_TCP_INV_FLAGS))
return 0;
if (tcpinfo->option &&
!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
if (tcpinfo->option) {
if (tcph.doff * 4 < sizeof(tcph)) {
*hotdrop = 1;
return 0;
}
if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
tcpinfo->invflags & IPT_TCP_INV_OPTION,
hotdrop))
return 0;
}
return 1;
}
......
......@@ -1545,7 +1545,8 @@ tcp_find_option(u_int8_t option,
duprintf("tcp_match: finding option\n");
/* If we don't have the whole header, drop packet. */
if (tcp->doff * 4 > datalen) {
if (tcp->doff * 4 < sizeof(struct tcphdr) ||
tcp->doff * 4 > datalen) {
*hotdrop = 1;
return 0;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment