diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-29 18:11:44 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-29 18:11:44 +0000 |
commit | ac8169f45dc9e5332d3ec24d0b14f812668b0c8e (patch) | |
tree | f0b9026cb10d9d270231e647c78988abfe516537 | |
parent | abac6c7eedd2d5b06ebd133c4deb53e269c2e924 (diff) | |
parent | de98024485397755232212ff862ffb2a2ca4f08f (diff) | |
download | core-oreo-m5-release.tar.gz |
Merge cherrypicks of [3287457, 3287458, 3286978, 3286979, 3287477, 3287478, 3287479, 3287480, 3287517, 3287518, 3287537, 3287538, 3287539, 3287540, 3287481, 3287482, 3287483, 3287484, 3287485, 3287486, 3287487, 3287488, 3287359, 3287459, 3287360, 3287361, 3287362, 3287363, 3287364, 3287365, 3287366, 3287367, 3287489, 3287490, 3287491, 3287557, 3287577, 3287558, 3287492, 3287493, 3287597, 3287617, 3286980, 3287460, 3287494] into oc-m3-releaseandroid-8.1.0_r9android-8.1.0_r7android-8.1.0_r22android-8.1.0_r21android-8.1.0_r18android-8.1.0_r17android-8.1.0_r14android-8.1.0_r13oreo-m5-releaseoreo-m3-release
Change-Id: I493e5863f5ffc6e3e8496969a7421d2af6dc23a2
-rw-r--r-- | libnetutils/packet.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c index e53a4c84f..9ecdd4f4e 100644 --- a/libnetutils/packet.c +++ b/libnetutils/packet.c @@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg) * to construct the pseudo header used in the checksum calculation. */ dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); + /* + * check validity of dhcp_size. + * 1) cannot be negative or zero. + * 2) src buffer contains enough bytes to copy + * 3) cannot exceed destination buffer + */ + if ((dhcp_size <= 0) || + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { +#if VERBOSE + ALOGD("Malformed Packet"); +#endif + return -1; + } saddr = packet.ip.saddr; daddr = packet.ip.daddr; nread = ntohs(packet.ip.tot_len); |