From 48a4612e6b67ae81b93ee8e8a4b3f8efa5324270 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Fri, 11 Apr 2014 00:51:55 +0200 Subject: [PATCH] sd-dhcp-client: recevie_message - verify cmsg_len before reading --- src/libsystemd-network/sd-dhcp-client.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c index da41c478e..392e294ae 100644 --- a/src/libsystemd-network/sd-dhcp-client.c +++ b/src/libsystemd-network/sd-dhcp-client.c @@ -1124,8 +1124,10 @@ static int client_receive_message_raw(sd_event_source *s, int fd, return 0; for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { - if (cmsg->cmsg_level == SOL_PACKET && cmsg->cmsg_type == PACKET_AUXDATA) { - struct tpacket_auxdata *aux = (void *)CMSG_DATA(cmsg); + if (cmsg->cmsg_level == SOL_PACKET && + cmsg->cmsg_type == PACKET_AUXDATA && + cmsg->cmsg_len == CMSG_LEN(sizeof(struct tpacket_auxdata))) { + struct tpacket_auxdata *aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg); checksum = !(aux->tp_status & TP_STATUS_CSUMNOTREADY); break; -- 2.30.2