Synopsis: 
NetBSD versions: 1.6.1, 1.6, 1.5.3, 1.5.2, 1.5.1, 1.5
Thanks to: Ignatios Souvatzis
Reported in NetBSD Security Advisory: NetBSD-SA2003-010

Index: sys/netiso/clnp_er.c
===================================================================
RCS file: /cvsroot/src/sys/netiso/clnp_er.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -c -p -r1.12 -r1.13
*** sys/netiso/clnp_er.c	2001/11/13 01:10:46	1.12
--- sys/netiso/clnp_er.c	2003/05/25 08:47:54	1.13
*************** clnp_emit_er(m, reason)
*** 254,260 ****
  	struct iso_addr src, dst, *our_addr;
  	caddr_t         hoff, hend;
  	int             total_len;	/* total len of dg */
- 	struct mbuf    *m0;	/* contains er pdu hdr */
  	struct iso_ifaddr *ia = 0;
  
  #ifdef ARGO_DEBUG
--- 254,259 ----
*************** clnp_emit_er(m, reason)
*** 329,340 ****
  #endif
  
  	/* allocate mbuf for er pdu header: punt on no space */
! 	MGET(m0, M_DONTWAIT, MT_HEADER);
! 	if (m0 == 0)
  		goto bad;
  
! 	m0->m_next = m;
! 	er = mtod(m0, struct clnp_fixed *);
  	*er = er_template;
  
  	/* setup src/dst on er pdu */
--- 328,344 ----
  #endif
  
  	/* allocate mbuf for er pdu header: punt on no space */
! 	/*
! 	 * fixed part, two addresses and their length bytes, and a 
! 	 * 4-byte option
! 	 */
! 
! 	M_PREPEND(m, sizeof(struct clnp_fixed) + 4 + 1 + 1 +
! 			src.isoa_len + our_addr->isoa_len, M_DONTWAIT);
! 	if (m == 0)
  		goto bad;
  
! 	er = mtod(m, struct clnp_fixed *);
  	*er = er_template;
  
  	/* setup src/dst on er pdu */
*************** clnp_emit_er(m, reason)
*** 355,374 ****
  	*hoff++ = 0;		/* error localization = not specified */
  
  	/* set length */
! 	er->cnf_hdr_len = m0->m_len = (u_char) (hoff - (caddr_t) er);
! 	total_len = m0->m_len + m->m_len;
  	HTOC(er->cnf_seglen_msb, er->cnf_seglen_lsb, total_len);
  
  	/* compute checksum (on header only) */
! 	iso_gen_csum(m0, CLNP_CKSUM_OFF, (int) er->cnf_hdr_len);
  
  	/* trim packet if too large for interface */
  	if (total_len > ifp->if_mtu)
! 		m_adj(m0, -(total_len - ifp->if_mtu));
  
  	/* send packet */
  	INCSTAT(cns_er_outhist[clnp_er_index(reason)]);
! 	(void) (*ifp->if_output) (ifp, m0, first_hop, route.ro_rt);
  	goto done;
  
  bad:
--- 359,378 ----
  	*hoff++ = 0;		/* error localization = not specified */
  
  	/* set length */
! 	er->cnf_hdr_len = (u_char) (hoff - (caddr_t) er);
! 	total_len = m->m_pkthdr.len;
  	HTOC(er->cnf_seglen_msb, er->cnf_seglen_lsb, total_len);
  
  	/* compute checksum (on header only) */
! 	iso_gen_csum(m, CLNP_CKSUM_OFF, (int) er->cnf_hdr_len);
  
  	/* trim packet if too large for interface */
  	if (total_len > ifp->if_mtu)
! 		m_adj(m, -(total_len - ifp->if_mtu));
  
  	/* send packet */
  	INCSTAT(cns_er_outhist[clnp_er_index(reason)]);
! 	(void) (*ifp->if_output) (ifp, m, first_hop, route.ro_rt);
  	goto done;
  
  bad: