From: Ted Lemon <source@isc.org>
Date: Fri, 13 Oct 2000 18:54:56 +0000 (+0000)
Subject: Don't trust udp -> uh_len.
X-Git-Tag: V3-BETA-2-PATCH-7~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0fff90afc28cd70c3172b640ce523fc71606b13;p=thirdparty%2Fdhcp.git

Don't trust udp -> uh_len.
---

diff --git a/common/packet.c b/common/packet.c
index 6c7ee8864..9ed7517ec 100644
--- a/common/packet.c
+++ b/common/packet.c
@@ -42,7 +42,7 @@
 
 #ifndef lint
 static char copyright[] =
-"$Id: packet.c,v 1.36 2000/09/20 10:08:51 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium.  All rights reserved.\n";
+"$Id: packet.c,v 1.37 2000/10/13 18:54:56 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium.  All rights reserved.\n";
 #endif /* not lint */
 
 #include "dhcpd.h"
@@ -252,6 +252,12 @@ ssize_t decode_udp_ip_header (interface, buf, bufix, from, data, buflen)
 	  return -1;
 #endif /* USERLAND_FILTER */
 
+  if (udp -> uh_ulen < sizeof udp ||
+      ((unsigned char *)udp) + udp -> uh_ulen > buf + buflen) {
+	  log_info ("bogus UDP packet length: %d\n", udp -> uh_ulen);
+	  return -1;
+  }
+
   /* Check the IP header checksum - it should be zero. */
   ++ip_packets_seen;
   if (wrapsum (checksum (buf + bufix, ip_len, 0))) {