Apply by doing cd /usr/src patch -p0 <023_ip_ah.patch And then rebuild your kernel. Index: sys/netinet/ip_ah.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_ah.c,v retrieving revision 1.45 retrieving revision 1.46 diff -u -r1.45 -r1.46 --- sys/netinet/ip_ah.c 2000/11/17 04:15:42 1.45 +++ sys/netinet/ip_ah.c 2001/02/20 06:48:06 1.46 @@ -253,6 +253,17 @@ /* IPv4 option processing */ for (off = sizeof(struct ip); off < skip;) { + if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP || + off + 1 < skip) + ; + else + { + DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off])); + ahstat.ahs_hdrops++; + m_freem(m); + return EINVAL; + } + switch (ptr[off]) { case IPOPT_EOL: @@ -268,10 +279,10 @@ case 0x86: /* Commercial security */ case 0x94: /* Router alert */ case 0x95: /* RFC1770 */ - /* Sanity check for zero-length options */ - if (ptr[off + 1] == 0) + /* Sanity check for option length */ + if (ptr[off + 1] < 2) { - DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off])); + DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off])); ahstat.ahs_hdrops++; m_freem(m); return EINVAL; @@ -282,6 +293,15 @@ case IPOPT_LSRR: case IPOPT_SSRR: + /* Sanity check for option length */ + if (ptr[off + 1] < 2) + { + DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off])); + ahstat.ahs_hdrops++; + m_freem(m); + return EINVAL; + } + /* * On output, if we have either of the source routing * options, we should swap the destination address of @@ -296,10 +316,10 @@ /* Fall through */ default: - /* Sanity check for zero-length options */ - if (ptr[off + 1] == 0) + /* Sanity check for option length */ + if (ptr[off + 1] < 2) { - DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off])); + DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off])); ahstat.ahs_hdrops++; m_freem(m); return EINVAL;