Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-06-07 01:05:54 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

net/icmp: add sanity check to avoid wild data length

Browse Source 
MIRTOS-267

net device buffer overflow if the icmp packet is too large

Change-Id: If0e6c039b99e064a122672d64eb057347ae3c053
Signed-off-by: chao.an <anchao@xiaomi.com>
This commit is contained in:
chao.an
2020-11-24 11:38:06 +08:00
committed by chao an
parent f1968469a4
commit c08ac2e35d
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/icmp/icmp_sendto.c
+8
View File
@@ -317,6 +317,14 @@ ssize_t icmp_sendto(FAR struct socket *psock, FAR const void *buf,
goto errout;
}
/* Sanity check if the request len is greater than the net payload len */
if (len > NETDEV_PKTSIZE(dev) - (NET_LL_HDRLEN(dev) + IPv4_HDRLEN))
{
nerr("ERROR: Invalid packet length\n");
return -EINVAL;
}
/* If we are no longer processing the same ping ID, then flush any pending
* packets from the read-ahead buffer.
*
net/icmpv6/icmpv6_sendto.c
+8
View File
@@ -308,6 +308,14 @@ ssize_t icmpv6_sendto(FAR struct socket *psock, FAR const void *buf,
goto errout;
}
/* Sanity check if the request len is greater than the net payload len */
if (len > NETDEV_PKTSIZE(dev) - (NET_LL_HDRLEN(dev) + IPv6_HDRLEN))
{
nerr("ERROR: Invalid packet length\n");
return -EINVAL;
}
/* If we are no longer processing the same ping ID, then flush any pending
* packets from the read-ahead buffer.
*