and that the claimed length by the header is not greater than our length.
Thanks to Michael Olney.
packet, udp_dhcp_len);
if (bytes == 0 || bytes == -1)
break;
- if (valid_udp_packet(packet) == -1)
+ if (valid_udp_packet(packet, bytes) == -1)
continue;
bytes = get_udp_data(&pp, packet);
if ((size_t)bytes > sizeof(*dhcp)) {
}
int
-valid_udp_packet(const uint8_t *data)
+valid_udp_packet(const uint8_t *data, size_t data_len)
{
struct udp_dhcp_packet packet;
uint16_t bytes, udpsum;
- memcpy(&packet, data, sizeof(packet));
+ if (data_len > sizeof(packet)) {
+ errno = EINVAL;
+ return -1;
+ }
+ memcpy(&packet, data, data_len);
if (checksum(&packet.ip, sizeof(packet.ip)) != 0) {
errno = EINVAL;
return -1;
}
bytes = ntohs(packet.ip.ip_len);
+ if (data_len < bytes) {
+ errno = EINVAL;
+ return -1;
+ }
udpsum = packet.udp.uh_sum;
packet.udp.uh_sum = 0;
packet.ip.ip_hl = 0;
return 0;
}
-
ssize_t make_udp_packet(uint8_t **, const uint8_t *, size_t,
struct in_addr, struct in_addr);
ssize_t get_udp_data(const uint8_t **, const uint8_t *);
-int valid_udp_packet(const uint8_t *);
+int valid_udp_packet(const uint8_t *, size_t);
int open_socket(struct interface *, int);
ssize_t send_packet(const struct interface *, struct in_addr,
projects / thirdparty / dhcpcd.git / commitdiff
