Index: ip_icmp.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.39 diff -u -r1.39 ip_icmp.c --- ip_icmp.c 2000/01/28 06:13:09 1.39 +++ ip_icmp.c 2000/06/08 15:26:39 @@ -662,8 +662,11 @@ if (opt == IPOPT_NOP) len = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + break; len = cp[IPOPT_OLEN]; - if (len <= 0 || len > cnt) + if (len < IPOPT_OLEN + sizeof(*cp) || + len > cnt) break; } /* Index: ip_input.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.130 diff -u -r1.130 ip_input.c --- ip_input.c 2000/02/23 20:11:57 1.130 +++ ip_input.c 2000/06/08 15:25:46 @@ -1067,8 +1067,12 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) { + code = &cp[IPOPT_OLEN] - (u_char *)ip; + goto bad; + } optlen = cp[IPOPT_OLEN]; - if (optlen <= 0 || optlen > cnt) { + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } @@ -1174,6 +1178,10 @@ break; case IPOPT_RR: + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { + code = &cp[IPOPT_OFFSET] - (u_char *)ip; + goto bad; + } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; Index: ip_output.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.99 diff -u -r1.99 ip_output.c --- ip_output.c 2000/03/09 14:57:15 1.99 +++ ip_output.c 2000/06/08 15:27:08 @@ -1302,8 +1302,10 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + goto bad; optlen = cp[IPOPT_OLEN]; - if (optlen <= IPOPT_OLEN || optlen > cnt) + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) goto bad; } switch (opt) {