From 9f87bd8b30bd336bff20390e67088d4396150027 Mon Sep 17 00:00:00 2001 From: "Nicholas J. Kain" Date: Tue, 6 Jan 2015 07:07:08 -0500 Subject: [PATCH] udp_checksum(): Clamp the value of the UDP packet header length. Without this change, it is possible for malicious UDP packets to make the function read past the end of a buffer. If this was ever a possibility in ndhc, the previous commit fixed that issue, but there is no reason for udp_checksum() to have such a subtle precondition to proper use. This change also makes it easier to audit correctness. --- src/dhcp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/dhcp.c b/src/dhcp.c index 37dc9e8..8528265 100644 --- a/src/dhcp.c +++ b/src/dhcp.c @@ -132,7 +132,10 @@ static int udp_checksum(struct ip_udp_dhcp_packet *packet) .protocol = packet->ip.protocol, .tot_len = packet->udp.len, }; - uint16_t udpcs = net_checksum161c(&packet->udp, ntohs(packet->udp.len)); + uint16_t udpcs = + net_checksum161c(&packet->udp, + min_size_t(ntohs(packet->udp.len), + sizeof *packet - sizeof(struct iphdr))); uint16_t hdrcs = net_checksum161c(&ph, sizeof ph); uint16_t cs = net_checksum161c_add(udpcs, hdrcs); return cs == 0;