chiark / gitweb /
sd-dhcp-client: recevie_message - verify cmsg_len before reading
authorTom Gundersen <teg@jklm.no>
Thu, 10 Apr 2014 22:51:55 +0000 (00:51 +0200)
committerTom Gundersen <teg@jklm.no>
Thu, 10 Apr 2014 22:52:23 +0000 (00:52 +0200)
src/libsystemd-network/sd-dhcp-client.c

index da41c47..392e294 100644 (file)
@@ -1124,8 +1124,10 @@ static int client_receive_message_raw(sd_event_source *s, int fd,
                 return 0;
 
         for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
                 return 0;
 
         for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
-                if (cmsg->cmsg_level == SOL_PACKET && cmsg->cmsg_type == PACKET_AUXDATA) {
-                        struct tpacket_auxdata *aux = (void *)CMSG_DATA(cmsg);
+                if (cmsg->cmsg_level == SOL_PACKET &&
+                    cmsg->cmsg_type == PACKET_AUXDATA &&
+                    cmsg->cmsg_len == CMSG_LEN(sizeof(struct tpacket_auxdata))) {
+                        struct tpacket_auxdata *aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg);
 
                         checksum = !(aux->tp_status & TP_STATUS_CSUMNOTREADY);
                         break;
 
                         checksum = !(aux->tp_status & TP_STATUS_CSUMNOTREADY);
                         break;