Validate UDP better by ensuring data len is not bigger than our struct

and that the claimed length by the header is not greater than our length. Thanks to Michael Olney.
author: Roy Marples <roy@marples.name> 2009-02-28 08:59:48 +0000
committer: Roy Marples <roy@marples.name> 2009-02-28 08:59:48 +0000
commit: e103c79fca52c8f8eeb651e7f0e273000fe68819 (patch)
tree: 5e9fabd145e2fc05d04e5db152a60dabb51a261c /net.c
parent: e095a6ebb581216ef8369d1e468a6682332498a7 (diff)
download: dhcpcd-e103c79fca52c8f8eeb651e7f0e273000fe68819.tar.xz
1 files changed, 10 insertions, 3 deletions
diff --git a/net.c b/net.c
index 0db55c0f..f624a5f8 100644
--- a/net.c
+++ b/net.c
@@ -639,18 +639,26 @@ get_udp_data(const uint8_t **data, const uint8_t *udp)
 }
 
 int
-valid_udp_packet(const uint8_t *data)
+valid_udp_packet(const uint8_t *data, size_t data_len)
 {
 	struct udp_dhcp_packet packet;
 	uint16_t bytes, udpsum;
 
-	memcpy(&packet, data, sizeof(packet));
+	if (data_len > sizeof(packet)) {
+		errno = EINVAL;
+		return -1;
+	}
+	memcpy(&packet, data, data_len);
 	if (checksum(&packet.ip, sizeof(packet.ip)) != 0) {
 		errno = EINVAL;
 		return -1;
 	}
 
 	bytes = ntohs(packet.ip.ip_len);
+	if (data_len < bytes) {
+		errno = EINVAL;
+		return -1;
+	}
 	udpsum = packet.udp.uh_sum;
 	packet.udp.uh_sum = 0;
 	packet.ip.ip_hl = 0;
@@ -668,4 +676,3 @@ valid_udp_packet(const uint8_t *data)
 
 	return 0;
 }
-
author	Roy Marples <roy@marples.name>	2009-02-28 08:59:48 +0000
committer	Roy Marples <roy@marples.name>	2009-02-28 08:59:48 +0000
commit	e103c79fca52c8f8eeb651e7f0e273000fe68819 (patch)
tree	5e9fabd145e2fc05d04e5db152a60dabb51a261c /net.c
parent	e095a6ebb581216ef8369d1e468a6682332498a7 (diff)
download	dhcpcd-e103c79fca52c8f8eeb651e7f0e273000fe68819.tar.xz