Repository : ssh://git@open-mesh.org/alfred

On branch : master

commit 0e2728c19f507403d31bacb94840f760197d4ccb Author: Jan-Philipp Litza janphilipp@litza.de Date: Mon Jan 19 21:59:32 2015 +0100

alfred: Tighten size check on received packet

When first checking if a received packet is truncated, the size of the alfred_tlv structure is ignored, thus allowing packets that are truncated by 4 bytes or less to pass the check unnoticed.

Even the check itself might access memory after the packet if its size was only 2 bytes or less.

Signed-off-by: Jan-Philipp Litza janphilipp@litza.de Acked-by: Sven Eckelmann sven@narfation.org Signed-off-by: Simon Wunderlich sw@simonwunderlich.de

0e2728c19f507403d31bacb94840f760197d4ccb recv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recv.c b/recv.c index 90db0b3..870485f 100644 --- a/recv.c +++ b/recv.c @@ -402,7 +402,8 @@ int recv_alfred_packet(struct globals *globals, struct interface *interface) return -1;

/* drop truncated packets */ - if (length < ((int)ntohs(packet->length))) + if (length < (int)sizeof(*packet) || + length < (int)(ntohs(packet->length) + sizeof(*packet))) return -1;

/* drop incompatible packet */