Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!akgua!sdcsvax!sdcrdcf!hplabs!sri-unix!rws@Mit-Bold.ARPA
From: rws@Mit-Bold.ARPA
Newsgroups: net.unix-wizards
Subject: 4.2 ip_dooptions() is not paranoid
Message-ID: <12240@sri-arpa.UUCP>
Date: Fri, 13-Apr-84 02:39:46 EDT
Article-I.D.: sri-arpa.12240
Posted: Fri Apr 13 02:39:46 1984
Date-Received: Sat, 12-May-84 07:21:01 EDT
Lines: 24

From:  Robert W. Scheifler <rws@Mit-Bold.ARPA>

Description:
	IP options are not adequately sanity-checked.  In particular,
	the option length is not checked to be reasonable.  A zero
	length option will cause the machine to hang, executing
	a for loop in ip_dooptions() forever at netisr.
Repeat-By:
	Send your enemies a bogus IP option specifying a zero option
	length.  Watch with glee as their machines hang.
Fix:
	Other checks may be necessary, but in ip_dooptions you at least
	need to change lines

		else
			optlen = cp[1];

	to

		else {
			optlen = cp[1];
			if (optlen <= 0 || optlen > cnt)
				goto bad;
		}