diff options
author | Ted Lemon <source@isc.org> | 2000-10-13 18:54:56 +0000 |
---|---|---|
committer | Ted Lemon <source@isc.org> | 2000-10-13 18:54:56 +0000 |
commit | b0fff90afc28cd70c3172b640ce523fc71606b13 (patch) | |
tree | 34543313f127ef42350ecc7128e6399293f090ae | |
parent | 37ab25f678c40787fecbec528d90ccccb5c8615e (diff) | |
download | isc-dhcp-b0fff90afc28cd70c3172b640ce523fc71606b13.tar.gz |
Don't trust udp -> uh_len.
-rw-r--r-- | common/packet.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/common/packet.c b/common/packet.c index 6c7ee886..9ed7517e 100644 --- a/common/packet.c +++ b/common/packet.c @@ -42,7 +42,7 @@ #ifndef lint static char copyright[] = -"$Id: packet.c,v 1.36 2000/09/20 10:08:51 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium. All rights reserved.\n"; +"$Id: packet.c,v 1.37 2000/10/13 18:54:56 mellon Exp $ Copyright (c) 1996-2000 The Internet Software Consortium. All rights reserved.\n"; #endif /* not lint */ #include "dhcpd.h" @@ -252,6 +252,12 @@ ssize_t decode_udp_ip_header (interface, buf, bufix, from, data, buflen) return -1; #endif /* USERLAND_FILTER */ + if (udp -> uh_ulen < sizeof udp || + ((unsigned char *)udp) + udp -> uh_ulen > buf + buflen) { + log_info ("bogus UDP packet length: %d\n", udp -> uh_ulen); + return -1; + } + /* Check the IP header checksum - it should be zero. */ ++ip_packets_seen; if (wrapsum (checksum (buf + bufix, ip_len, 0))) { |