This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/master by this push:
new 5ba6d3c4eb2 net/udp: Validate UDP length field against actual packet
size
5ba6d3c4eb2 is described below
commit 5ba6d3c4eb25a5140736cfd2bcc3e7937cc6132b
Author: gaohedong <[email protected]>
AuthorDate: Sat Dec 27 13:51:26 2025 +0800
net/udp: Validate UDP length field against actual packet size
According to RFC768 page 2, length feild is the length in octets of this
user datagram including this header and the data.
Signed-off-by: gaohedong <[email protected]>
---
net/udp/udp_input.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/udp/udp_input.c b/net/udp/udp_input.c
index 3ff17462a33..f6fd0b1fc7c 100644
--- a/net/udp/udp_input.c
+++ b/net/udp/udp_input.c
@@ -215,6 +215,7 @@ static int udp_input(FAR struct net_driver_s *dev, unsigned
int iplen)
FAR struct iob_s *iob;
#endif
unsigned int udpiplen;
+ unsigned int udpdatalen = dev->d_len - iplen;
#ifdef CONFIG_NET_UDP_CHECKSUMS
uint16_t chksum;
#endif
@@ -232,6 +233,16 @@ static int udp_input(FAR struct net_driver_s *dev,
unsigned int iplen)
udp = IPBUF(iplen);
+ /* Check the UDP packet length */
+
+ if (udpdatalen < UDP_HDRLEN || ntohs(udp->udplen) != udpdatalen)
+ {
+ nwarn("WARNING: UDP length invalid: hdr=%u actual=%u\n",
+ ntohs(udp->udplen), udpdatalen);
+ dev->d_len = 0;
+ return ret;
+ }
+
/* Get the size of the IP header and the UDP header */
udpiplen = iplen + UDP_HDRLEN;
