ipcpd: Validate wire frame lengths

Asserting frame lengths coming from the wire was a severe flaw. Fixed by gracefully dropping runt frames. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
author: Dimitri Staessens <dimitri@ouroboros.rocks> 2026-05-01 14:38:23 +0200
committer: Sander Vrijders <sander@ouroboros.rocks> 2026-05-20 08:17:03 +0200
commit: 5f0e3f8bf1710f23eaa223357e41a8595487094b (patch)
tree: bb4af3ab2f850f6541712dca90524e399049c16a /src/ipcpd
parent: cc6d6663956d1ed5becb1f5f3cd53d3cd899fdf0 (diff)
download: ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.tar.gz
ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.zip
2 files changed, 10 insertions, 6 deletions
diff --git a/src/ipcpd/udp/udp.c b/src/ipcpd/udp/udp.c
index 452bbc1a..168ea718 100644
--- a/src/ipcpd/udp/udp.c
+++ b/src/ipcpd/udp/udp.c
@@ -352,13 +352,18 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr,
         qosspec_t         qs;
         buffer_t          data;
 
+        /* Defence against malformed/corrupted wire input. */
+        if (len < sizeof(*msg))
+                return -1;
+
         msg = (struct mgmt_msg *) buf;
 
         switch (msg->code) {
         case FLOW_REQ:
                 msg_len = sizeof(*msg) + ipcp_dir_hash_len();
 
-                assert(len >= msg_len);
+                if (len < msg_len)
+                        return -1;
 
                 data.len  = len - msg_len;
                 data.data = (uint8_t *) buf + msg_len;
@@ -377,8 +382,6 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr,
                                          (uint8_t *) (msg + 1), qs,
                                           &data);
         case FLOW_REPLY:
-                assert(len >= sizeof(*msg));
-
                 data.len  = len - sizeof(*msg);
                 data.data = (uint8_t *) buf + sizeof(*msg);
 
diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c
index c157d71c..f398d317 100644
--- a/src/ipcpd/unicast/fa.c
+++ b/src/ipcpd/unicast/fa.c
@@ -528,7 +528,8 @@ static int fa_handle_flow_reply(struct fa_msg * msg,
         time_t           mpl = IPCP_UNICAST_MPL;
         int              response;
 
-        assert(len >= sizeof(*msg));
+        if (len < sizeof(*msg))
+                return -EINVAL;
 
         data.data = (uint8_t *) msg + sizeof(*msg);
         data.len  = len - sizeof(*msg);
@@ -572,8 +573,8 @@ static int fa_handle_flow_update(struct fa_msg * msg,
         struct fa_flow * flow;
         int              fd;
 
-        (void) len;
-        assert(len >= sizeof(*msg));
+        if (len < sizeof(*msg))
+                return -EINVAL;
 
         pthread_rwlock_wrlock(&fa.flows_lock);
author	Dimitri Staessens <dimitri@ouroboros.rocks>	2026-05-01 14:38:23 +0200
committer	Sander Vrijders <sander@ouroboros.rocks>	2026-05-20 08:17:03 +0200
commit	5f0e3f8bf1710f23eaa223357e41a8595487094b (patch)
tree	bb4af3ab2f850f6541712dca90524e399049c16a /src/ipcpd
parent	cc6d6663956d1ed5becb1f5f3cd53d3cd899fdf0 (diff)
download	ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.tar.gz ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.zip