Repository : ssh://git@open-mesh.org/alfred
On branch : master
commit 424f0427c0c6bb52a956f5d665eb70a8f195abfe Author: Sven Eckelmann sven@open-mesh.com Date: Fri Jan 4 10:01:39 2013 +0100
alfred: Avoid buffer overruns with large MTUs
Different functions like the sending function assume an MTU smaller than the default buffer size of 9000. This must not be true and therefore it can happend that the buffer on the stack is overwritten.
The mtu is reduce instead to avoid this problem until all functions using such a buffer are sanatized.
Signed-off-by: Sven Eckelmann sven@open-mesh.com
424f0427c0c6bb52a956f5d665eb70a8f195abfe alfred.h | 3 +++ client.c | 4 ++-- netsock.c | 2 ++ recv.c | 2 +- send.c | 2 +- unix_sock.c | 4 ++-- 6 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/alfred.h b/alfred.h index 4f1a89f..4340e66 100644 --- a/alfred.h +++ b/alfred.h @@ -115,6 +115,9 @@ struct globals {
#define ALFRED_HEADLEN (sizeof(struct ethhdr) +\ sizeof(struct alfred_packet)) + +#define MAX_PAYLOAD 9000 + /* server.c */ int alfred_server(struct globals *globals); int set_best_server(struct globals *globals); diff --git a/client.c b/client.c index 31929a7..a87dfc2 100644 --- a/client.c +++ b/client.c @@ -32,7 +32,7 @@
int alfred_client_request_data(struct globals *globals) { - unsigned char buf[9000], *pos; + unsigned char buf[MAX_PAYLOAD], *pos; struct alfred_packet *packet; struct alfred_data *data; int ret, len, headlen, data_len, i; @@ -100,7 +100,7 @@ int alfred_client_request_data(struct globals *globals)
int alfred_client_set_data(struct globals *globals) { - unsigned char buf[9000]; + unsigned char buf[MAX_PAYLOAD]; struct alfred_packet *packet; struct alfred_data *data; int ret, len; diff --git a/netsock.c b/netsock.c index cf973f2..e24687f 100644 --- a/netsock.c +++ b/netsock.c @@ -83,6 +83,8 @@ int netsock_open(struct globals *globals) }
globals->mtu = ifr.ifr_mtu; + if (globals->mtu > MAX_PAYLOAD) + globals->mtu = MAX_PAYLOAD;
if (bind(sock, (struct sockaddr *)&sll, sizeof(sll)) < 0) { fprintf(stderr, "can't bind\n"); diff --git a/recv.c b/recv.c index 609fa2a..76a4992 100644 --- a/recv.c +++ b/recv.c @@ -168,7 +168,7 @@ int process_alfred_request(struct globals *globals,
int recv_alfred_packet(struct globals *globals) { - uint8_t buf[9000]; + uint8_t buf[MAX_PAYLOAD]; int length; struct ethhdr *ethhdr; struct alfred_packet *packet; diff --git a/send.c b/send.c index ffd9df9..f1f66b8 100644 --- a/send.c +++ b/send.c @@ -52,7 +52,7 @@ int push_data(struct globals *globals, uint8_t *destination, enum data_source max_source_level, int type_filter) { struct hash_it_t *hashit = NULL; - uint8_t buf[9000]; + uint8_t buf[MAX_PAYLOAD]; struct alfred_packet *packet; struct alfred_data *data; uint16_t total_length = 0; diff --git a/unix_sock.c b/unix_sock.c index 7277d69..cc55a55 100644 --- a/unix_sock.c +++ b/unix_sock.c @@ -148,7 +148,7 @@ int unix_sock_req_data(struct globals *globals, struct alfred_packet *packet, struct timeval tv, last_check, now; fd_set fds; int ret, len, type; - uint8_t buf[9000]; + uint8_t buf[MAX_PAYLOAD];
len = ntohs(packet->length);
@@ -226,7 +226,7 @@ int unix_sock_read(struct globals *globals) struct sockaddr_un sun_addr; socklen_t sun_size = sizeof(sun_addr); struct alfred_packet *packet; - uint8_t buf[9000]; + uint8_t buf[MAX_PAYLOAD]; int length, headsize, ret = -1;
client_sock = accept(globals->unix_sock, (struct sockaddr *)&sun_addr,