diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-28 03:34:23 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-28 03:34:23 +0000 |
commit | 9f30f3bbf30b7de0ad3850171db968ae12a6caf0 (patch) | |
tree | f0b9026cb10d9d270231e647c78988abfe516537 | |
parent | f469ebae8604bc756259c7305f8cb7617ca18ddc (diff) | |
parent | b71335264a7c3629f80b7bf1f87375c75c42d868 (diff) | |
download | core-oreo-mr1-release.tar.gz |
Merge cherrypicks of [3276508, 3277765, 3277766, 3277904, 3276473, 3278009, 3278010, 3277767, 3277768, 3277769, 3277770, 3276509, 3276510, 3278011, 3278012, 3278013, 3278014, 3278099, 3278100, 3278101, 3278102, 3278103, 3278104, 3278105, 3278106, 3277800, 3276474, 3278015, 3278016, 3278017, 3278118, 3278119, 3278120, 3278121, 3278122, 3277946, 3277905, 3277947, 3277906, 3277751, 3278123, 3277752, 3278110, 3277771, 3277907, 3278095, 3277908, 3278111, 3277772, 3276475, 3276476] into oc-mr1-releaseandroid-wear-8.1.0_r1android-8.1.0_r6android-8.1.0_r5android-8.1.0_r4android-8.1.0_r3android-8.1.0_r19android-8.1.0_r16android-8.1.0_r15android-8.1.0_r12android-8.1.0_r11android-8.1.0_r10oreo-mr1-wear-releaseoreo-mr1-s1-releaseoreo-mr1-release
Change-Id: Ifa8110f04f5c0940ec625f48d536bfccb3613183
-rw-r--r-- | libnetutils/packet.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c index e53a4c84f..9ecdd4f4e 100644 --- a/libnetutils/packet.c +++ b/libnetutils/packet.c @@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg) * to construct the pseudo header used in the checksum calculation. */ dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); + /* + * check validity of dhcp_size. + * 1) cannot be negative or zero. + * 2) src buffer contains enough bytes to copy + * 3) cannot exceed destination buffer + */ + if ((dhcp_size <= 0) || + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { +#if VERBOSE + ALOGD("Malformed Packet"); +#endif + return -1; + } saddr = packet.ip.saddr; daddr = packet.ip.daddr; nread = ntohs(packet.ip.tot_len); |