From bcb132e1850edf0f90336a249751742aae5705db Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 28 Nov 2014 22:31:38 +0200 Subject: [PATCH] proxyarp: Validate IPv4 header total length value in dhcp_snoop This field needs to be validated in addition to validating the total length of the received frame to avoid reading beyond the frame buffer. Signed-off-by: Jouni Malinen --- src/ap/dhcp_snoop.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ap/dhcp_snoop.c b/src/ap/dhcp_snoop.c index 0f62eb7ac..a70602467 100644 --- a/src/ap/dhcp_snoop.c +++ b/src/ap/dhcp_snoop.c @@ -52,17 +52,22 @@ static void handle_dhcp(void *ctx, const u8 *src_addr, const u8 *buf, const u8 *end, *pos; int res, msgtype = 0, prefixlen = 32; u32 subnet_mask = 0; + u16 tot_len; exten_len = len - ETH_HLEN - (sizeof(*b) - sizeof(b->exten)); if (exten_len < 4) return; b = (const struct bootp_pkt *) &buf[ETH_HLEN]; + tot_len = ntohs(b->iph.tot_len); + if (tot_len > (unsigned int) (len - ETH_HLEN)) + return; + if (os_memcmp(b->exten, ic_bootp_cookie, ARRAY_SIZE(ic_bootp_cookie))) return; /* Parse DHCP options */ - end = (const u8 *) b + ntohs(b->iph.tot_len); + end = (const u8 *) b + tot_len; pos = &b->exten[4]; while (pos < end && *pos != 0xff) { const u8 *opt = pos++;