Merge cherrypicks of [3287457, 3287458, 3286978, 3286979, 3287477, 3287478, 3287479, 3287480, 3287517, 3287518, 3287537, 3287538, 3287539, 3287540, 3287481, 3287482, 3287483, 3287484, 3287485, 3287486, 3287487, 3287488, 3287359, 3287459, 3287360, 3287361, 3287362, 3287363, 3287364, 3287365, 3287366, 3287367, 3287489, 3287490, 3287491, 3287557, 3287577, 3287558, 3287492, 3287493, 3287597, 3287617, 3286980, 3287460, 3287494] into oc-m3-releaseandroid-8.1.0_r9android-8.1.0_r7android-8.1.0_r22android-8.1.0_r21android-8.1.0_r18android-8.1.0_r17android-8.1.0_r14android-8.1.0_r13oreo-m5-releaseoreo-m3-release

Change-Id: I493e5863f5ffc6e3e8496969a7421d2af6dc23a2

1 files changed, 14 insertions, 0 deletions

diff --git a/libnetutils/packet.c b/libnetutils/packet.c
index e53a4c84f..9ecdd4f4e 100644
--- a/libnetutils/packet.c
+++ b/libnetutils/packet.c
@@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg)
      * to construct the pseudo header used in the checksum calculation.
      */
     dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
+    /*
+     * check validity of dhcp_size.
+     * 1) cannot be negative or zero.
+     * 2) src buffer contains enough bytes to copy
+     * 3) cannot exceed destination buffer
+     */
+    if ((dhcp_size <= 0) ||
+        ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
+        ((int)sizeof(struct dhcp_msg) < dhcp_size)) {
+#if VERBOSE
+        ALOGD("Malformed Packet");
+#endif
+        return -1;
+    }
     saddr = packet.ip.saddr;
     daddr = packet.ip.daddr;
     nread = ntohs(packet.ip.tot_len);