From 3c2862e71729da85bdd0934a3f1b7b1f8bd0fc06 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Tue, 1 Oct 2019 16:00:30 +0100
Subject: [PATCH] BPF: Ensure packet is big enough for a UDP structure and
 payload

---
 src/bpf.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/bpf.c b/src/bpf.c
index 06bbf3f1..51094b4b 100644
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -581,6 +581,9 @@ static const struct bpf_insn bpf_bootp_ether[] = {
 };
 #define BPF_BOOTP_ETHER_LEN	__arraycount(bpf_bootp_ether)
 
+#define BOOTP_MIN_SIZE		sizeof(struct ip) + sizeof(struct udphdr) + \
+				sizeof(struct bootp)
+
 static const struct bpf_insn bpf_bootp_filter[] = {
 	/* Make sure it's an IPv4 packet. */
 	BPF_STMT(BPF_LD + BPF_B + BPF_IND, 0),
@@ -607,8 +610,11 @@ static const struct bpf_insn bpf_bootp_filter[] = {
 	BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 0, 1),
 	BPF_STMT(BPF_RET + BPF_K, 0),
 
-	/* Store IP length. */
+	/* Ensure IP length is big enough to hold the UDP + BOOTP payload and
+	 * store IP length in memory. */
 	BPF_STMT(BPF_LD + BPF_H + BPF_IND, offsetof(struct ip, ip_len)),
+	BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, BOOTP_MIN_SIZE, 1, 0),
+	BPF_STMT(BPF_RET + BPF_K, 0),
 	BPF_STMT(BPF_ST, BPF_M_IPLEN),
 
 	/* Advance to the UDP header. */
-- 
2.47.2