From e5f75e8ece5d1a8d3c17bd0156082caf153d3779 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@gnu.org>
Date: Sat, 5 Feb 2000 12:21:17 +0000
Subject: Import of Linux 2.2.14 subset (ipv4 stack and related)

---
 pfinet/linux-src/net/ipv4/ip_input.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'pfinet/linux-src/net/ipv4/ip_input.c')

diff --git a/pfinet/linux-src/net/ipv4/ip_input.c b/pfinet/linux-src/net/ipv4/ip_input.c
index b1725fa3..545f093c 100644
--- a/pfinet/linux-src/net/ipv4/ip_input.c
+++ b/pfinet/linux-src/net/ipv4/ip_input.c
@@ -97,6 +97,7 @@
  *		Alan Cox	:	Multicast routing hooks
  *		Jos Vos		:	Do accounting *before* call_in_firewall
  *	Willy Konynenberg	:	Transparent proxying support
+ *             Stephan Uphoff   :       Check IP header length field
  *
  *  
  *
@@ -421,6 +422,10 @@ int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
 
 	if (skb->len < sizeof(struct iphdr))
 		goto inhdr_error; 
+
+	if (skb->len < (iph->ihl << 2))
+		goto inhdr_error;
+
 	if (iph->ihl < 5 || iph->version != 4 || ip_fast_csum((u8 *)iph, iph->ihl) != 0)
 		goto inhdr_error; 
 
@@ -429,6 +434,9 @@ int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
 	if (skb->len < len)
 		goto inhdr_error; 
 
+	if (len <  (iph->ihl << 2))
+		goto inhdr_error; 
+
 	/*
 	 *	Our transport medium may have padded the buffer out. Now we know it
 	 *	is IP we can trim to the true length of the frame.
-- 
cgit v1.2.3