Add more explicit length checks for get_raw_packet.

This commit is contained in:
Nicholas J. Kain 2014-07-25 20:34:01 -04:00
parent 2518e0a2bc
commit 12114c9bae

View File

@ -186,7 +186,7 @@ static ssize_t get_raw_packet(struct client_state_t *cs,
} }
size_t iphdrlen = ntohs(packet.ip.tot_len); size_t iphdrlen = ntohs(packet.ip.tot_len);
if ((size_t)inc != iphdrlen) { if ((size_t)inc != iphdrlen) {
log_warning("%s: UDP length [%zd] does not match header length field [%zu].", log_error("%s: UDP length [%zd] does not match header length field [%zu].",
client_config.interface, inc, iphdrlen); client_config.interface, inc, iphdrlen);
return -2; return -2;
} }
@ -194,7 +194,7 @@ static ssize_t get_raw_packet(struct client_state_t *cs,
return -2; return -2;
if (!ip_checksum(&packet)) { if (!ip_checksum(&packet)) {
log_warning("%s: IP header checksum incorrect.", log_error("%s: IP header checksum incorrect.",
client_config.interface); client_config.interface);
return -2; return -2;
} }
@ -203,7 +203,17 @@ static ssize_t get_raw_packet(struct client_state_t *cs,
client_config.interface); client_config.interface);
return -2; return -2;
} }
if (iphdrlen <= sizeof packet.ip + sizeof packet.udp) {
log_error("%s: Packet received that is too small (%zu bytes).",
iphdrlen);
return -2;
}
size_t l = iphdrlen - sizeof packet.ip - sizeof packet.udp; size_t l = iphdrlen - sizeof packet.ip - sizeof packet.udp;
if (l > sizeof *payload) {
log_error("%s: Packet received that is too long (%zu bytes).",
l);
return -2;
}
memcpy(payload, &packet.data, l); memcpy(payload, &packet.data, l);
return l; return l;
} }