Don't trust udp -> uh_len.

author Ted Lemon <source@isc.org>

Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)

committer Ted Lemon <source@isc.org>

Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)
author Ted Lemon <source@isc.org>
Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)
committer Ted Lemon <source@isc.org>
Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)
diff --git a/common/packet.c b/common/packet.c

index 6c7ee8864ec77e658e789e9f30edb0c10718ba78..9ed7517ec4542f346375d4c092a2c829c2b49391 100644 (file)
--- a/common/packet.c
+++ b/common/packet.c
@@ -42,7 +42,7 @@
  
  #ifndef lint
  static char copyright[] =
-"$Id: packet.c,v 1.36 2000/09/20 10:08:51 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium.  All rights reserved.\n";
+"$Id: packet.c,v 1.37 2000/10/13 18:54:56 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium.  All rights reserved.\n";
  #endif /* not lint */
  
  #include "dhcpd.h"
@@ -252,6 +252,12 @@ ssize_t decode_udp_ip_header (interface, buf, bufix, from, data, buflen)
           return -1;
  #endif /* USERLAND_FILTER */
  
+  if (udp -> uh_ulen < sizeof udp ||
+      ((unsigned char *)udp) + udp -> uh_ulen > buf + buflen) {
+         log_info ("bogus UDP packet length: %d\n", udp -> uh_ulen);
+         return -1;
+  }
+
    /* Check the IP header checksum - it should be zero. */
    ++ip_packets_seen;
    if (wrapsum (checksum (buf + bufix, ip_len, 0))) {
author	Ted Lemon <source@isc.org>
	Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)
committer	Ted Lemon <source@isc.org>
	Fri, 13 Oct 2000 18:54:56 +0000 (18:54 +0000)