diff options
author | tintin <tintinweb@oststrom.com> | 2017-10-13 11:11:48 -0700 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2018-01-14 13:03:49 +0100 |
commit | 4c26cb02061c4a4eae597cfdcea590350849cd2c (patch) | |
tree | 497370e85005bf4438da493aaac1999466fdf244 | |
parent | f86d75d049acf34d3cb6cf410e1a6d9b5cf84094 (diff) | |
download | system_core-4c26cb02061c4a4eae597cfdcea590350849cd2c.tar.gz system_core-4c26cb02061c4a4eae597cfdcea590350849cd2c.tar.bz2 system_core-4c26cb02061c4a4eae597cfdcea590350849cd2c.zip |
libnetutil: Check dhcp respose packet length
Bug: 67474440
Test: Manual
Change-Id: I84b533f0101a56ec01e64c7591f3c7e82f513b2e
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
(cherry picked from commit 61f25d4a3657e79659963d12005afa8c30883015)
CVE-2017-13208
-rw-r--r-- | libnetutils/packet.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libnetutils/packet.c b/libnetutils/packet.c index cd26d058a..bfc5f4d4e 100644 --- a/libnetutils/packet.c +++ b/libnetutils/packet.c @@ -219,6 +219,20 @@ int receive_packet(int s, struct dhcp_msg *msg) * to construct the pseudo header used in the checksum calculation. */ dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp); + /* + * check validity of dhcp_size. + * 1) cannot be negative or zero. + * 2) src buffer contains enough bytes to copy + * 3) cannot exceed destination buffer + */ + if ((dhcp_size <= 0) || + ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) || + ((int)sizeof(struct dhcp_msg) < dhcp_size)) { +#if VERBOSE + ALOGD("Malformed Packet"); +#endif + return -1; + } saddr = packet.ip.saddr; daddr = packet.ip.daddr; nread = ntohs(packet.ip.tot_len); |