[PATCH 18/21] netlink: fix IP length check (SECURITY)

[Ian Jackson]

This would erroneously abort on some very short packets.

This is a DoS vulnerability, exposed to internal sites only.

Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
 debian/changelog |    1 +
 netlink.c        |    2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index fe6caae..46645f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
   * SECURITY: Fixes to MTU and fragmentation handling.
   * SECURITY: Correctly set "unused" ICMP header field.
   * Do not send ICMP errors in response to unknown incoming ICMP.
+  * SECURITY: Fix IP length check not to crash on very short packets.
 
  --
 
diff --git a/netlink.c b/netlink.c
index 2c3d12d..787f4eb 100644
--- a/netlink.c
+++ b/netlink.c
@@ -831,7 +831,7 @@ static void netlink_incoming(struct netlink *st, struct netlink_client *client,
 	BUF_FREE(buf);
 	return;
     }
-    assert(buf->size >= (int)sizeof(struct icmphdr));
+    assert(buf->size >= (int)sizeof(struct iphdr));
     iph=(struct iphdr *)buf->start;
 
     source=ntohl(iph->saddr);
-- 
1.7.10.4