rws@Mit-Bold.ARPA (04/13/84)
From: Robert W. Scheifler <rws@Mit-Bold.ARPA>
Description:
IP options are not adequately sanity-checked. In particular,
the option length is not checked to be reasonable. A zero
length option will cause the machine to hang, executing
a for loop in ip_dooptions() forever at netisr.
Repeat-By:
Send your enemies a bogus IP option specifying a zero option
length. Watch with glee as their machines hang.
Fix:
Other checks may be necessary, but in ip_dooptions you at least
need to change lines
else
optlen = cp[1];
to
else {
optlen = cp[1];
if (optlen <= 0 || optlen > cnt)
goto bad;
}