From: Andrew Tridgell <tridge@samba.org>
Date: Wed, 4 Jul 2007 06:22:09 +0000 (+1000)
Subject: more careful checking of lengths
X-Git-Tag: tevent-0.9.20~348^2~2476
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19d2fc0aa6e357d7d92a38ba44a4bd358e9af5b3;p=thirdparty%2Fsamba.git

more careful checking of lengths
(This used to be ctdb commit 45662f2152a152b7160b66a857d8215348c28dc5)
---

diff --git a/ctdb/takeover/system.c b/ctdb/takeover/system.c
index e6df9b77990..2259cff36d6 100644
--- a/ctdb/takeover/system.c
+++ b/ctdb/takeover/system.c
@@ -484,7 +484,7 @@ int ctdb_sys_kill_tcp(struct event_context *ev,
 		event_loop_once(ev);
 
 		ret = recv(s, pkt, RCVPKTSIZE, MSG_TRUNC);
-		if (ret<40) {
+		if (ret < sizeof(*eth)+sizeof(*ip)) {
 			continue;
 		}
 
@@ -496,7 +496,7 @@ int ctdb_sys_kill_tcp(struct event_context *ev,
 		}
 	
 		/* IP */
-		ip = (struct iphdr *)&pkt[14];
+		ip = (struct iphdr *)(eth+1);
 		/* We only want IPv4 packets */
 		if (ip->version != 4) {
 			continue;
@@ -519,8 +519,15 @@ int ctdb_sys_kill_tcp(struct event_context *ev,
 			continue;
 		}
 
+		/* make sure its not a short packet */
+		if (offsetof(struct tcphdr, ack_seq) + 4 + 
+		    (ip->ihl*4) + sizeof(*eth) > ret) {
+			continue;
+		}
+
 		/* TCP */
-		tcp = (struct tcphdr *)&pkt[14+ip->ihl*4];
+		tcp = (struct tcphdr *)((ip->ihl*4) + (char *)ip);
+		
 		/* We only want replies from the port we tickled */
 		if (tcp->source != dst->sin_port) {
 			continue;