------------------------------------------------------------
revno: 555
revision-id: [EMAIL PROTECTED]
parent: [EMAIL PROTECTED]
committer: Andrew Tridgell <[EMAIL PROTECTED]>
branch nick: tridge
timestamp: Wed 2007-07-04 16:22:09 +1000
message:
more careful checking of lengths
modified:
takeover/system.c system.c-20070525071636-a5n1ihghjtppy08r-3
=== modified file 'takeover/system.c'
--- a/takeover/system.c 2007-07-04 03:53:22 +0000
+++ b/takeover/system.c 2007-07-04 06:22:09 +0000
@@ -484,7 +484,7 @@
event_loop_once(ev);
ret = recv(s, pkt, RCVPKTSIZE, MSG_TRUNC);
- if (ret<40) {
+ if (ret < sizeof(*eth)+sizeof(*ip)) {
continue;
}
@@ -496,7 +496,7 @@
}
/* IP */
- ip = (struct iphdr *)&pkt[14];
+ ip = (struct iphdr *)(eth+1);
/* We only want IPv4 packets */
if (ip->version != 4) {
continue;
@@ -519,8 +519,15 @@
continue;
}
+ /* make sure its not a short packet */
+ if (offsetof(struct tcphdr, ack_seq) + 4 +
+ (ip->ihl*4) + sizeof(*eth) > ret) {
+ continue;
+ }
+
/* TCP */
- tcp = (struct tcphdr *)&pkt[14+ip->ihl*4];
+ tcp = (struct tcphdr *)((ip->ihl*4) + (char *)ip);
+
/* We only want replies from the port we tickled */
if (tcp->source != dst->sin_port) {
continue;
