When first checking if a received packet is truncated, the size of the alfred_tlv structure is ignored, thus allowing packets that are truncated by 4 bytes or less to pass the check unnoticed.
Even the check itself might access memory after the packet if its size was only 2 bytes or less.
Signed-off-by: Jan-Philipp Litza janphilipp@litza.de --- recv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/recv.c b/recv.c index 90db0b3..870485f 100644 --- a/recv.c +++ b/recv.c @@ -402,7 +402,8 @@ int recv_alfred_packet(struct globals *globals, struct interface *interface) return -1;
/* drop truncated packets */ - if (length < ((int)ntohs(packet->length))) + if (length < (int)sizeof(*packet) || + length < (int)(ntohs(packet->length) + sizeof(*packet))) return -1;
/* drop incompatible packet */