riot-ci/RIOT
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

check payload length validity

Browse Source 
make sure the payload does not exceed the amount of data received
This commit is contained in:
Ludwig Ortmann 2014-01-08 14:58:57 +01:00
parent ac0ec1f6b3
commit 76b017aefd
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cpu/native/net/tap.c
View File

@ -87,10 +87,15 @@ void _native_handle_tap_input(void)
/* XXX: check overflow */ /* XXX: check overflow */
p.length = ntohs(frame.field.payload.nn_header.length); p.length = ntohs(frame.field.payload.nn_header.length);
p.data = frame.field.payload.data; p.data = frame.field.payload.data;
if (p.length > (nread - sizeof(struct nativenet_header))) {
warnx("_native_handle_tap_input: packet with malicious length field received, discarding");
}
else {
DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src); DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src);
_nativenet_handle_packet(&p); _nativenet_handle_packet(&p);
} }
} }
}
else { else {
DEBUG("ignoring non-native frame\n"); DEBUG("ignoring non-native frame\n");
} }