net: sntp: Check packet length in sntp_handler

Currently, the sntp_handler uses data in the UDP packet
regardless of the actual packet size. A OOB read can occur
if the packet is too small.
Fix it by checking the packet length before extracting
seconds from a SNTP packet.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

diff --git a/net/sntp.c b/net/sntp.c
index 77cee0046bda67f742ac03ab6101ab65b84e5560..4b3dc675babe58b0375899feda0f184b9344fe7c 100644 (file)
--- a/net/sntp.c
+++ b/net/sntp.c
@@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
        if (dest != sntp_our_port)
                return;
 
+       if (len < SNTP_PACKET_LEN)
+               return;
+
        /*
         * As the RTC's used in U-Boot support second resolution only
         * we simply ignore the sub-second field.