diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-05-01 14:38:23 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-05-20 08:17:03 +0200 |
| commit | 5f0e3f8bf1710f23eaa223357e41a8595487094b (patch) | |
| tree | bb4af3ab2f850f6541712dca90524e399049c16a /src | |
| parent | cc6d6663956d1ed5becb1f5f3cd53d3cd899fdf0 (diff) | |
| download | ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.tar.gz ouroboros-5f0e3f8bf1710f23eaa223357e41a8595487094b.zip | |
ipcpd: Validate wire frame lengths
Asserting frame lengths coming from the wire was a severe flaw. Fixed
by gracefully dropping runt frames.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
| -rw-r--r-- | src/ipcpd/udp/udp.c | 9 | ||||
| -rw-r--r-- | src/ipcpd/unicast/fa.c | 7 |
2 files changed, 10 insertions, 6 deletions
diff --git a/src/ipcpd/udp/udp.c b/src/ipcpd/udp/udp.c index 452bbc1a..168ea718 100644 --- a/src/ipcpd/udp/udp.c +++ b/src/ipcpd/udp/udp.c @@ -352,13 +352,18 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, qosspec_t qs; buffer_t data; + /* Defence against malformed/corrupted wire input. */ + if (len < sizeof(*msg)) + return -1; + msg = (struct mgmt_msg *) buf; switch (msg->code) { case FLOW_REQ: msg_len = sizeof(*msg) + ipcp_dir_hash_len(); - assert(len >= msg_len); + if (len < msg_len) + return -1; data.len = len - msg_len; data.data = (uint8_t *) buf + msg_len; @@ -377,8 +382,6 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, (uint8_t *) (msg + 1), qs, &data); case FLOW_REPLY: - assert(len >= sizeof(*msg)); - data.len = len - sizeof(*msg); data.data = (uint8_t *) buf + sizeof(*msg); diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c index c157d71c..f398d317 100644 --- a/src/ipcpd/unicast/fa.c +++ b/src/ipcpd/unicast/fa.c @@ -528,7 +528,8 @@ static int fa_handle_flow_reply(struct fa_msg * msg, time_t mpl = IPCP_UNICAST_MPL; int response; - assert(len >= sizeof(*msg)); + if (len < sizeof(*msg)) + return -EINVAL; data.data = (uint8_t *) msg + sizeof(*msg); data.len = len - sizeof(*msg); @@ -572,8 +573,8 @@ static int fa_handle_flow_update(struct fa_msg * msg, struct fa_flow * flow; int fd; - (void) len; - assert(len >= sizeof(*msg)); + if (len < sizeof(*msg)) + return -EINVAL; pthread_rwlock_wrlock(&fa.flows_lock); |