pogmommy/nmrpflash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add some size checks in msg_ntoh()

Browse source
This commit is contained in:
Joseph C. Lehner 2016-01-27 19:35:54 +01:00
parent 53a5786053
commit d232616910
1 changed files with 27 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
nmrp.c
View file

@ -36,6 +36,9 @@
#define NMRP_OPT_LEN 4 #define NMRP_OPT_LEN 4
#define NMRP_MIN_PKT_LEN (sizeof(struct ether_header) + NMRP_HDR_LEN) #define NMRP_MIN_PKT_LEN (sizeof(struct ether_header) + NMRP_HDR_LEN)
#define MAX_OPT_SIZE 12
#define MAX_OPT_NUM 2
#define ETH_P_NMRP 0x0912 #define ETH_P_NMRP 0x0912
#define IP_LEN 4 #define IP_LEN 4
#define PACKED __attribute__((__packed__)) #define PACKED __attribute__((__packed__))
@ -155,27 +158,33 @@ static int msg_ntoh(struct nmrp_msg *msg)
msg_hdr_ntoh(msg); msg_hdr_ntoh(msg);
remaining = msg->len - NMRP_HDR_LEN; remaining = msg->len - NMRP_HDR_LEN;
// FIXME maximum of two options supported, maximum option
// size is 12
if (remaining < MAX_OPT_NUM * MAX_OPT_SIZE) {
while (remaining > 0) { while (remaining > 0) {
if (remaining < NMRP_OPT_LEN) { if (remaining < NMRP_OPT_LEN) {
fprintf(stderr, "Malformed message.\n"); break;
msg_dump(msg, 0);
return 1;
} }
opt->type = ntohs(opt->type); opt->type = ntohs(opt->type);
opt->len = ntohs(opt->len); opt->len = ntohs(opt->len);
if (opt->len > MAX_OPT_SIZE) {
break;
}
remaining -= opt->len; remaining -= opt->len;
++opt; ++opt;
} }
if (remaining) { if (!remaining) {
fprintf(stderr, "Trailing data in message.\n"); return 0;
msg_dump(msg, 0); }
return 1;
} }
return 0; fprintf(stderr, "Unexpected message format.\n");
msg_dump(msg, 0);
return 1;
} }
static int intf_get_info(int sock, const char *name, int *index, static int intf_get_info(int sock, const char *name, int *index,