udp_checksum(): Clamp the value of the UDP packet header length.

Without this change, it is possible for malicious UDP packets to
make the function read past the end of a buffer.

If this was ever a possibility in ndhc, the previous commit fixed
that issue, but there is no reason for udp_checksum() to have
such a subtle precondition to proper use.  This change also makes
it easier to audit correctness.
This commit is contained in:
Nicholas J. Kain 2015-01-06 07:07:08 -05:00
parent 6548b5ce54
commit 9f87bd8b30

View File

@ -132,7 +132,10 @@ static int udp_checksum(struct ip_udp_dhcp_packet *packet)
.protocol = packet->ip.protocol, .protocol = packet->ip.protocol,
.tot_len = packet->udp.len, .tot_len = packet->udp.len,
}; };
uint16_t udpcs = net_checksum161c(&packet->udp, ntohs(packet->udp.len)); uint16_t udpcs =
net_checksum161c(&packet->udp,
min_size_t(ntohs(packet->udp.len),
sizeof *packet - sizeof(struct iphdr)));
uint16_t hdrcs = net_checksum161c(&ph, sizeof ph); uint16_t hdrcs = net_checksum161c(&ph, sizeof ph);
uint16_t cs = net_checksum161c_add(udpcs, hdrcs); uint16_t cs = net_checksum161c_add(udpcs, hdrcs);
return cs == 0; return cs == 0;