pogmommy/nmrpflash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add some size checks in msg_ntoh()

Browse source
This commit is contained in:
Joseph C. Lehner 2016-01-27 19:35:54 +01:00
parent 53a5786053
commit d232616910
1 changed files with 27 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
nmrp.c
View file

@ -36,6 +36,9 @@
#define NMRP_OPT_LEN 4 #define NMRP_OPT_LEN 4
#define NMRP_MIN_PKT_LEN (sizeof(struct ether_header) + NMRP_HDR_LEN) #define NMRP_MIN_PKT_LEN (sizeof(struct ether_header) + NMRP_HDR_LEN)
#define MAX_OPT_SIZE 12
#define MAX_OPT_NUM 2
#define ETH_P_NMRP 0x0912 #define ETH_P_NMRP 0x0912
#define IP_LEN 4 #define IP_LEN 4
#define PACKED __attribute__((__packed__)) #define PACKED __attribute__((__packed__))
@ -151,31 +154,37 @@ static int msg_ntoh(struct nmrp_msg *msg)
{ {
struct nmrp_opt *opt = msg->opts; struct nmrp_opt *opt = msg->opts;
int remaining; int remaining;
msg_hdr_ntoh(msg); msg_hdr_ntoh(msg);
remaining = msg->len - NMRP_HDR_LEN; remaining = msg->len - NMRP_HDR_LEN;
while (remaining > 0) { // FIXME maximum of two options supported, maximum option
if (remaining < NMRP_OPT_LEN) { // size is 12
fprintf(stderr, "Malformed message.\n"); if (remaining < MAX_OPT_NUM * MAX_OPT_SIZE) {
msg_dump(msg, 0); while (remaining > 0) {
return 1; if (remaining < NMRP_OPT_LEN) {
break;
}
opt->type = ntohs(opt->type);
opt->len = ntohs(opt->len);
if (opt->len > MAX_OPT_SIZE) {
break;
}
remaining -= opt->len;
++opt;
} }
opt->type = ntohs(opt->type); if (!remaining) {
opt->len = ntohs(opt->len); return 0;
}
remaining -= opt->len;
++opt;
} }
if (remaining) { fprintf(stderr, "Unexpected message format.\n");
fprintf(stderr, "Trailing data in message.\n"); msg_dump(msg, 0);
msg_dump(msg, 0); return 1;
return 1;
}
return 0;
} }
static int intf_get_info(int sock, const char *name, int *index, static int intf_get_info(int sock, const char *name, int *index,