From 5f0e3f8bf1710f23eaa223357e41a8595487094b Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Fri, 1 May 2026 14:38:23 +0200
Subject: ipcpd: Validate wire frame lengths

Asserting frame lengths coming from the wire was a severe flaw. Fixed
by gracefully dropping runt frames.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/ipcpd/unicast/fa.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/ipcpd/unicast')

diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c
index c157d71c..f398d317 100644
--- a/src/ipcpd/unicast/fa.c
+++ b/src/ipcpd/unicast/fa.c
@@ -528,7 +528,8 @@ static int fa_handle_flow_reply(struct fa_msg * msg,
         time_t           mpl = IPCP_UNICAST_MPL;
         int              response;
 
-        assert(len >= sizeof(*msg));
+        if (len < sizeof(*msg))
+                return -EINVAL;
 
         data.data = (uint8_t *) msg + sizeof(*msg);
         data.len  = len - sizeof(*msg);
@@ -572,8 +573,8 @@ static int fa_handle_flow_update(struct fa_msg * msg,
         struct fa_flow * flow;
         int              fd;
 
-        (void) len;
-        assert(len >= sizeof(*msg));
+        if (len < sizeof(*msg))
+                return -EINVAL;
 
         pthread_rwlock_wrlock(&fa.flows_lock);
 
-- 
cgit v1.2.3