From fdcb8debf6d35693fccba948bcaf2551dcbb4045 Mon Sep 17 00:00:00 2001
From: Jun-ichiro itojun Hagino <itojun@FreeBSD.org>
Date: Wed, 10 May 2000 01:25:33 +0000
Subject: [PATCH] correct more out-of-bounds memory access, if cnt == 1 and
 optlen > 1. similar to recent fix to sys/netinet/ipf.c (by darren).

---
 sys/netinet/ip_input.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 0d9273d89ee..683a767341a 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1078,6 +1078,10 @@ ip_dooptions(m)
 		if (opt == IPOPT_NOP)
 			optlen = 1;
 		else {
+			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
+				code = &cp[IPOPT_OLEN] - (u_char *)ip;
+				goto bad;
+			}
 			optlen = cp[IPOPT_OLEN];
 			if (optlen <= 0 || optlen > cnt) {
 				code = &cp[IPOPT_OLEN] - (u_char *)ip;