Add check that the packet size received is >= expected packet header size.

DnD RpcV3: A corrupted packet received may result in an out of bounds (OOB)
memory access if the length of the message received is less than the size
of the expected packet header.

diff --git a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
index f4ed95b4c42b2c03fba62b3cf3d9efe5f8a02ee8..89515a79e765c2a2bb71ea74c3e5ddcb512f1341 100644 (file)
--- a/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
+++ b/open-vm-tools/services/plugins/dndcp/dndGuest/rpcV3Util.cpp
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2010-2019 VMware, Inc. All rights reserved.
+ * Copyright (C) 2010-2021 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -306,7 +306,13 @@ RpcV3Util::OnRecvPacket(uint32 srcId,
 {
    DnDTransportPacketHeader *packetV3 = (DnDTransportPacketHeader *)packet;
    ASSERT(packetV3);
-   if (packetSize <= 0 || packetSize > DND_MAX_TRANSPORT_PACKET_SIZE ||
+   /*
+    * Adding extra check to verify the validity of packetSize,
+    * In case payload is corrupted its causing illegal access exceptions.
+    * bug: 2639178
+    */
+   if (packetSize < sizeof(DnDTransportPacketHeader) ||
+       packetSize > DND_MAX_TRANSPORT_PACKET_SIZE ||
        packetV3->payloadSize > DND_MAX_TRANSPORT_PACKET_PAYLOAD_SIZE ||
        (packetV3->payloadSize + DND_TRANSPORT_PACKET_HEADER_SIZE) != packetSize) {
       goto invalid_packet;