]>
Commit | Line | Data |
---|---|---|
3f5d3e7d WB |
1 | From 8878799dd147abb25f184e9a6c1133d65ac76e37 Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Wed, 2 Mar 2016 17:29:58 +0530 | |
4 | Subject: [PATCH] net: check packet payload length | |
5 | ||
6 | While computing IP checksum, 'net_checksum_calculate' reads | |
7 | payload length from the packet. It could exceed the given 'data' | |
8 | buffer size. Add a check to avoid it. | |
9 | ||
10 | Reported-by: Liu Ling <liuling-it@360.cn> | |
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
12 | Signed-off-by: Jason Wang <jasowang@redhat.com> | |
13 | --- | |
14 | net/checksum.c | 10 ++++++++-- | |
15 | 1 file changed, 8 insertions(+), 2 deletions(-) | |
16 | ||
17 | diff --git a/net/checksum.c b/net/checksum.c | |
18 | index 14c0855..0942437 100644 | |
19 | --- a/net/checksum.c | |
20 | +++ b/net/checksum.c | |
21 | @@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) | |
22 | int hlen, plen, proto, csum_offset; | |
23 | uint16_t csum; | |
24 | ||
25 | + /* Ensure data has complete L2 & L3 headers. */ | |
26 | + if (length < 14 + 20) { | |
27 | + return; | |
28 | + } | |
29 | + | |
30 | if ((data[14] & 0xf0) != 0x40) | |
31 | return; /* not IPv4 */ | |
32 | hlen = (data[14] & 0x0f) * 4; | |
33 | @@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) | |
34 | return; | |
35 | } | |
36 | ||
37 | - if (plen < csum_offset+2) | |
38 | - return; | |
39 | + if (plen < csum_offset + 2 || 14 + hlen + plen > length) { | |
40 | + return; | |
41 | + } | |
42 | ||
43 | data[14+hlen+csum_offset] = 0; | |
44 | data[14+hlen+csum_offset+1] = 0; | |
45 | -- | |
46 | 2.1.4 | |
47 |