From ac0ec1f6b3e09b9c0e9483d5eb5ea2dcf59e93c3 Mon Sep 17 00:00:00 2001
From: Ludwig Ortmann <ludwig.ortmann@fu-berlin.de>
Date: Wed, 8 Jan 2014 14:57:11 +0100
Subject: [PATCH 1/2] nativenet clean up

Make nativenet tap payload type consistent with radio_packet_t
Also remove a trailing space
---
 cpu/native/include/tap.h   | 2 +-
 cpu/native/net/interface.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpu/native/include/tap.h b/cpu/native/include/tap.h
index 9a20295caf..64f190a2fd 100644
--- a/cpu/native/include/tap.h
+++ b/cpu/native/include/tap.h
@@ -44,7 +44,7 @@ struct nativenet_header {
 
 struct nativenet_packet {
     struct nativenet_header nn_header;
-    unsigned char data[ETHERMTU - sizeof(struct nativenet_header)];
+    uint8_t data[ETHERMTU - sizeof(struct nativenet_header)];
 } __attribute__((packed));
 
 union eth_frame {
diff --git a/cpu/native/net/interface.c b/cpu/native/net/interface.c
index a0fedc8845..2ba0c9f9e4 100644
--- a/cpu/native/net/interface.c
+++ b/cpu/native/net/interface.c
@@ -160,7 +160,7 @@ void do_cb(int event)
 }
 
 void _nativenet_handle_packet(radio_packet_t *packet)
-{ 
+{
     radio_address_t dst_addr = packet->dst;
 
     /* address filter / monitor mode */

From 76b017aefddf5c12e442f55da2c898a8949d1ab7 Mon Sep 17 00:00:00 2001
From: Ludwig Ortmann <ludwig.ortmann@fu-berlin.de>
Date: Wed, 8 Jan 2014 14:58:57 +0100
Subject: [PATCH 2/2] check payload length validity

make sure the payload does not exceed the amount of data received
---
 cpu/native/net/tap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/cpu/native/net/tap.c b/cpu/native/net/tap.c
index df6fd94ed7..d9fa71521a 100644
--- a/cpu/native/net/tap.c
+++ b/cpu/native/net/tap.c
@@ -87,8 +87,13 @@ void _native_handle_tap_input(void)
                 /* XXX: check overflow */
                 p.length = ntohs(frame.field.payload.nn_header.length);
                 p.data = frame.field.payload.data;
-                DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src);
-                _nativenet_handle_packet(&p);
+                if (p.length > (nread - sizeof(struct nativenet_header))) {
+                    warnx("_native_handle_tap_input: packet with malicious length field received, discarding");
+                }
+                else {
+                    DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src);
+                    _nativenet_handle_packet(&p);
+                }
             }
         }
         else {