emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add more explicit length checks for get_raw_packet.

Browse Source
This commit is contained in:
Nicholas J. Kain 2014-07-25 20:34:01 -04:00
parent 2518e0a2bc
commit 12114c9bae
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/dhcp.c
View File

@ -186,16 +186,16 @@ static ssize_t get_raw_packet(struct client_state_t *cs,
} }
size_t iphdrlen = ntohs(packet.ip.tot_len); size_t iphdrlen = ntohs(packet.ip.tot_len);
if ((size_t)inc != iphdrlen) { if ((size_t)inc != iphdrlen) {
log_warning("%s: UDP length [%zd] does not match header length field [%zu].", log_error("%s: UDP length [%zd] does not match header length field [%zu].",
client_config.interface, inc, iphdrlen); client_config.interface, inc, iphdrlen);
return -2; return -2;
} }
if (!cs->using_dhcp_bpf && !get_raw_packet_validate_bpf(&packet)) if (!cs->using_dhcp_bpf && !get_raw_packet_validate_bpf(&packet))
return -2; return -2;
if (!ip_checksum(&packet)) { if (!ip_checksum(&packet)) {
log_warning("%s: IP header checksum incorrect.", log_error("%s: IP header checksum incorrect.",
client_config.interface); client_config.interface);
return -2; return -2;
} }
if (packet.udp.check && !udp_checksum(&packet)) { if (packet.udp.check && !udp_checksum(&packet)) {
@ -203,7 +203,17 @@ static ssize_t get_raw_packet(struct client_state_t *cs,
client_config.interface); client_config.interface);
return -2; return -2;
} }
if (iphdrlen <= sizeof packet.ip + sizeof packet.udp) {
log_error("%s: Packet received that is too small (%zu bytes).",
iphdrlen);
return -2;
}
size_t l = iphdrlen - sizeof packet.ip - sizeof packet.udp; size_t l = iphdrlen - sizeof packet.ip - sizeof packet.udp;
if (l > sizeof *payload) {
log_error("%s: Packet received that is too long (%zu bytes).",
l);
return -2;
}
memcpy(payload, &packet.data, l); memcpy(payload, &packet.data, l);
return l; return l;
} }