libnetutil: Check dhcp respose packet length
Bug: 67474440 Test: Manual Change-Id: I84b533f0101a56ec01e64c7591f3c7e82f513b2e Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit is contained in:
tintin
Dmitry Shmidt
parent
bfe4b5edb3
commit
61f25d4a36
1 changed files with 14 additions and 0 deletions
|
|
@ -218,6 +218,20 @@ int receive_packet(int s, struct dhcp_msg *msg)
|
|||
* to construct the pseudo header used in the checksum calculation.
|
||||
*/
|
||||
dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
|
||||
/*
|
||||
* check validity of dhcp_size.
|
||||
* 1) cannot be negative or zero.
|
||||
* 2) src buffer contains enough bytes to copy
|
||||
* 3) cannot exceed destination buffer
|
||||
*/
|
||||
if ((dhcp_size <= 0) ||
|
||||
((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
|
||||
((int)sizeof(struct dhcp_msg) < dhcp_size)) {
|
||||
#if VERBOSE
|
||||
ALOGD("Malformed Packet");
|
||||
#endif
|
||||
return -1;
|
||||
}
|
||||
saddr = packet.ip.saddr;
|
||||
daddr = packet.ip.daddr;
|
||||
nread = ntohs(packet.ip.tot_len);
|
||||
|
|
|
|||
Loading…
Reference in a new issue