udp_checksum(): Clamp the value of the UDP packet header length.
Without this change, it is possible for malicious UDP packets to make the function read past the end of a buffer. If this was ever a possibility in ndhc, the previous commit fixed that issue, but there is no reason for udp_checksum() to have such a subtle precondition to proper use. This change also makes it easier to audit correctness.
This commit is contained in:
parent
6548b5ce54
commit
9f87bd8b30
@ -132,7 +132,10 @@ static int udp_checksum(struct ip_udp_dhcp_packet *packet)
|
|||||||
.protocol = packet->ip.protocol,
|
.protocol = packet->ip.protocol,
|
||||||
.tot_len = packet->udp.len,
|
.tot_len = packet->udp.len,
|
||||||
};
|
};
|
||||||
uint16_t udpcs = net_checksum161c(&packet->udp, ntohs(packet->udp.len));
|
uint16_t udpcs =
|
||||||
|
net_checksum161c(&packet->udp,
|
||||||
|
min_size_t(ntohs(packet->udp.len),
|
||||||
|
sizeof *packet - sizeof(struct iphdr)));
|
||||||
uint16_t hdrcs = net_checksum161c(&ph, sizeof ph);
|
uint16_t hdrcs = net_checksum161c(&ph, sizeof ph);
|
||||||
uint16_t cs = net_checksum161c_add(udpcs, hdrcs);
|
uint16_t cs = net_checksum161c_add(udpcs, hdrcs);
|
||||||
return cs == 0;
|
return cs == 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user