system/core
| 修訂 | 2e55ec2a45650ddeb443c249c99f142d082d9d83 (tree) |
|---|---|
| 時間 | 2017-11-14 10:30:10 |
| 作者 | tintin <tintinweb@osts...> |
| Commiter | Nikoli Cartagena |
libnetutil: Check dhcp respose packet length
Bug: 67474440
Test: Manual
Change-Id: I84b533f0101a56ec01e64c7591f3c7e82f513b2e
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
(cherry picked from commit 61f25d4a3657e79659963d12005afa8c30883015)
libnetutils/packet.c (diff)| @@ -219,6 +219,20 @@ int receive_packet(int s, struct dhcp_msg *msg) | ||
| 219 | 219 | * to construct the pseudo header used in the checksum calculation. |
| 220 | 220 | */ |
| 221 | 221 | dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); |
| 222 | + /* | |
| 223 | + * check validity of dhcp_size. | |
| 224 | + * 1) cannot be negative or zero. | |
| 225 | + * 2) src buffer contains enough bytes to copy | |
| 226 | + * 3) cannot exceed destination buffer | |
| 227 | + */ | |
| 228 | + if ((dhcp_size <= 0) || | |
| 229 | + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || | |
| 230 | + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { | |
| 231 | +#if VERBOSE | |
| 232 | + ALOGD("Malformed Packet"); | |
| 233 | +#endif | |
| 234 | + return -1; | |
| 235 | + } | |
| 222 | 236 | saddr = packet.ip.saddr; |
| 223 | 237 | daddr = packet.ip.daddr; |
| 224 | 238 | nread = ntohs(packet.ip.tot_len); |
Fork