This is an automated email from the ASF dual-hosted git repository.
davids5 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
The following commit(s) were added to refs/heads/master by this push:
new a97aefe net/icmp: add sanity check to avoid wild data length
a97aefe is described below
commit a97aefe10a20278f53af9e6fff5754de39b8c8c4
Author: chao.an <anc...@xiaomi.com>
AuthorDate: Tue Nov 24 11:38:06 2020 +0800
net/icmp: add sanity check to avoid wild data length
net device buffer overflow if the icmp packet is too large
Signed-off-by: chao.an <anc...@xiaomi.com>
---
net/icmp/icmp_sendto.c | 8 ++++++++
net/icmpv6/icmpv6_sendto.c | 8 ++++++++
2 files changed, 16 insertions(+)
diff --git a/net/icmp/icmp_sendto.c b/net/icmp/icmp_sendto.c
index 8ae0587..cb49320 100644
--- a/net/icmp/icmp_sendto.c
+++ b/net/icmp/icmp_sendto.c
@@ -317,6 +317,14 @@ ssize_t icmp_sendto(FAR struct socket *psock, FAR const
void *buf,
goto errout;
}
+ /* Sanity check if the request len is greater than the net payload len */
+
+ if (len > NETDEV_PKTSIZE(dev) - (NET_LL_HDRLEN(dev) + IPv4_HDRLEN))
+ {
+ nerr("ERROR: Invalid packet length\n");
+ return -EINVAL;
+ }
+
/* If we are no longer processing the same ping ID, then flush any pending
* packets from the read-ahead buffer.
*
diff --git a/net/icmpv6/icmpv6_sendto.c b/net/icmpv6/icmpv6_sendto.c
index 3ee6881..8a275f0 100644
--- a/net/icmpv6/icmpv6_sendto.c
+++ b/net/icmpv6/icmpv6_sendto.c
@@ -308,6 +308,14 @@ ssize_t icmpv6_sendto(FAR struct socket *psock, FAR const
void *buf,
goto errout;
}
+ /* Sanity check if the request len is greater than the net payload len */
+
+ if (len > NETDEV_PKTSIZE(dev) - (NET_LL_HDRLEN(dev) + IPv6_HDRLEN))
+ {
+ nerr("ERROR: Invalid packet length\n");
+ return -EINVAL;
+ }
+
/* If we are no longer processing the same ping ID, then flush any pending
* packets from the read-ahead buffer.
*
