Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.66
retrieving revision 1.66.4.3
diff -u -p -r1.66 -r1.66.4.3
--- src/sys/netinet/udp_usrreq.c	2000/03/30 13:25:11	1.66
+++ src/sys/netinet/udp_usrreq.c	2000/12/15 03:29:16	1.66.4.3
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.66 2000/03/30 13:25:11 augustss Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.66.4.3 2000/12/15 03:29:16 he Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -232,7 +232,7 @@ udp_input(m, va_alist)
 	 */
 	len = ntohs((u_int16_t)uh->uh_ulen);
 	if (ip->ip_len != iphlen + len) {
-		if (ip->ip_len < iphlen + len) {
+		if (ip->ip_len < iphlen + len || len < sizeof(struct udphdr)) {
 			udpstat.udps_badlen++;
 			goto bad;
 		}
@@ -554,7 +554,7 @@ udp4_realinput(src, dst, m, off)
 	dst4 = &dst->sin_addr;
 	dport = &dst->sin_port;
 
-	if (IN_MULTICAST(src4->s_addr) ||
+	if (IN_MULTICAST(dst4->s_addr) ||
 	    in_broadcast(*dst4, m->m_pkthdr.rcvif)) {
 		struct inpcb *last;
 		/*
@@ -703,7 +703,7 @@ udp6_realinput(af, src, dst, m, off)
 	u_int16_t *sport, *dport;
 	int rcvcnt;
 	struct in6_addr *src6, *dst6;
-	struct in_addr *src4;
+	struct in_addr *dst4;
 	struct in6pcb *in6p;
 
 	rcvcnt = 0;
@@ -718,10 +718,10 @@ udp6_realinput(af, src, dst, m, off)
 	sport = &src->sin6_port;
 	dst6 = &dst->sin6_addr;
 	dport = &dst->sin6_port;
-	src4 = (struct in_addr *)&src->sin6_addr.s6_addr32[12];
+	dst4 = (struct in_addr *)&dst->sin6_addr.s6_addr32[12];
 
 	if (IN6_IS_ADDR_MULTICAST(dst6)
-	 || (af == AF_INET && IN_MULTICAST(src4->s_addr))) {
+	 || (af == AF_INET && IN_MULTICAST(dst4->s_addr))) {
 		struct in6pcb *last;
 		/*
 		 * Deliver a multicast or broadcast datagram to *all* sockets
@@ -925,7 +925,7 @@ udp_input(m, va_alist)
 	 */
 	len = ntohs((u_int16_t)uh->uh_ulen);
 	if (ip->ip_len != iphlen + len) {
-		if (ip->ip_len < iphlen + len) {
+		if (ip->ip_len < iphlen + len || len < sizeof(struct udphdr)) {
 			udpstat.udps_badlen++;
 			goto bad;
 		}