summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortintin <tintinweb@oststrom.com>2017-11-02 03:25:33 +0000
committerandroid-build-merger <android-build-merger@google.com>2017-11-02 03:25:33 +0000
commit9f1398c6e33a5012f997a3624394e4b64c2092ad (patch)
treeea90f2aedf3789e254a0aab4ddf919dfc39b61ae
parentc184678b7a089e4e579a8772fa06b584d0b39ddf (diff)
parentcdf0fc60184dcda9c4de9ecdb39c5a0d97b698e1 (diff)
downloadcore-9f1398c6e33a5012f997a3624394e4b64c2092ad.tar.gz
core-9f1398c6e33a5012f997a3624394e4b64c2092ad.tar.bz2
core-9f1398c6e33a5012f997a3624394e4b64c2092ad.zip
libnetutil: Check dhcp respose packet length am: 61f25d4a36 am: cee6d38c55 am: 29d054046f am: c29049f4f8 am: 3de04e9840 am: 19702dc499 am: 8191e9ba87 am: 804323c195 am: 4f5f00d879 am: 3a1ff1ad71 am: bab7b1ecd9
am: cdf0fc6018 Change-Id: If9bc99849e62fe38cdf52180ff76390c452e0784
-rw-r--r--libnetutils/packet.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c
index e53a4c84f..9ecdd4f4e 100644
--- a/libnetutils/packet.c
+++ b/libnetutils/packet.c
@@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg)
* to construct the pseudo header used in the checksum calculation.
*/
dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
+ /*
+ * check validity of dhcp_size.
+ * 1) cannot be negative or zero.
+ * 2) src buffer contains enough bytes to copy
+ * 3) cannot exceed destination buffer
+ */
+ if ((dhcp_size <= 0) ||
+ ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
+ ((int)sizeof(struct dhcp_msg) < dhcp_size)) {
+#if VERBOSE
+ ALOGD("Malformed Packet");
+#endif
+ return -1;
+ }
saddr = packet.ip.saddr;
daddr = packet.ip.daddr;
nread = ntohs(packet.ip.tot_len);