diff options
author | tintin <tintinweb@oststrom.com> | 2017-11-02 03:23:59 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-11-02 03:23:59 +0000 |
commit | cdf0fc60184dcda9c4de9ecdb39c5a0d97b698e1 (patch) | |
tree | 672cbf785e15c5e6e3bba314bbb62beb86e95dce | |
parent | fb1a14ad599947c85a070655a0cdd257be7902d1 (diff) | |
parent | bab7b1ecd96dfcc825880c81a24443d9abc7803e (diff) | |
download | core-cdf0fc60184dcda9c4de9ecdb39c5a0d97b698e1.tar.gz |
libnetutil: Check dhcp respose packet length am: 61f25d4a36 am: cee6d38c55 am: 29d054046f am: c29049f4f8 am: 3de04e9840 am: 19702dc499 am: 8191e9ba87 am: 804323c195 am: 4f5f00d879 am: 3a1ff1ad71
am: bab7b1ecd9
Change-Id: Id56f81b841d83b4b6fc75517fa165c0000dac663
-rw-r--r-- | libnetutils/packet.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c index e53a4c84f..9ecdd4f4e 100644 --- a/libnetutils/packet.c +++ b/libnetutils/packet.c @@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg) * to construct the pseudo header used in the checksum calculation. */ dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); + /* + * check validity of dhcp_size. + * 1) cannot be negative or zero. + * 2) src buffer contains enough bytes to copy + * 3) cannot exceed destination buffer + */ + if ((dhcp_size <= 0) || + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { +#if VERBOSE + ALOGD("Malformed Packet"); +#endif + return -1; + } saddr = packet.ip.saddr; daddr = packet.ip.daddr; nread = ntohs(packet.ip.tot_len); |