From 7eb7a449c4c5bd17b1a5f8bcc1935282872c568f Mon Sep 17 00:00:00 2001
From: Andras Olah <olah@FreeBSD.org>
Date: Thu, 17 Aug 1995 22:09:14 +0000
Subject: [PATCH] Add a sanity check for the UDP length field in order to
 prevent malformed UDP packets to panic the kernel. Reviewed by:
 davidg, wollman Obtained from:	dab@berserkly.cray.com (David A. Borman) via
 end2end list

---
 sys/netinet/udp_usrreq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 7e13103b4bcc..3ed0a02cf9fe 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)udp_usrreq.c	8.4 (Berkeley) 1/21/94
- * $Id: udp_usrreq.c,v 1.11 1995/05/09 13:35:48 davidg Exp $
+ * $Id: udp_usrreq.c,v 1.12 1995/05/30 08:10:02 rgrimes Exp $
  */
 
 #include <sys/param.h>
@@ -137,7 +137,7 @@ udp_input(m, iphlen)
 	 */
 	len = ntohs((u_short)uh->uh_ulen);
 	if (ip->ip_len != len) {
-		if (len > ip->ip_len) {
+		if (len > ip->ip_len || len < sizeof(struct udphdr)) {
 			udpstat.udps_badlen++;
 			goto bad;
 		}