On Monday 19 January 2015 21:59:32 Jan-Philipp Litza wrote:
When first checking if a received packet is truncated, the size of
alfred_tlv structure is ignored, thus allowing packets that are
truncated by 4 bytes or less to pass the check unnoticed.
Even the check itself might access memory after the packet if its size
was only 2 bytes or less.
/* drop truncated packets */
- if (length < ((int)ntohs(packet->length)))
+ if (length < (int)sizeof(*packet) ||
+ length < (int)(ntohs(packet->length) + sizeof(*packet)))
/* drop incompatible packet */
Thanks for the patch. It is basically correct but maybe you can modify it
slightly to make it also catch very small packets.
diff --git a/recv.c b/recv.c
index 90db0b3..288f577 100644
@@ -391,7 +391,12 @@ int recv_alfred_packet(struct globals *globals, struct interface
+ /* drop packets smaller than tlv */
+ if (length < (int)sizeof(*packet))
+ return -1;
packet = (struct alfred_tlv *)buf;
+ length -= sizeof(*packet);
/* drop packets not sent over link-local ipv6 */