Check UDP length field for short as well as long values. Fixes a

dhcpd crash when a UDP packet arrives saying it has 0 length. Spotted by Martin Pelikan, who also noted it was fixed a while ago in ISC DHCP 3.0b2p17. Fix tested by Martin. Thanks!
author: krw <krw@openbsd.org> 2013-01-05 12:34:53 +0000
committer: krw <krw@openbsd.org> 2013-01-05 12:34:53 +0000
commit: 0ac6e44d1dad2c48305c055a4010b42e7de58f0b (patch)
tree: 29328c1d2be78bdbeb44c47d612f5797f5f09724
parent: Update sets sizes, comp52 now expands to 75MB more data. (diff)
download: wireguard-openbsd-0ac6e44d1dad2c48305c055a4010b42e7de58f0b.tar.xz
wireguard-openbsd-0ac6e44d1dad2c48305c055a4010b42e7de58f0b.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/dhcpd/packet.c b/usr.sbin/dhcpd/packet.c
index 2af78459108..00e06d7dd97 100644
--- a/usr.sbin/dhcpd/packet.c
+++ b/usr.sbin/dhcpd/packet.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: packet.c,v 1.3 2004/04/21 09:11:58 canacar Exp $	*/
+/*	$OpenBSD: packet.c,v 1.4 2013/01/05 12:34:53 krw Exp $	*/
 
 /* Packet assembly code, originally contributed by Archie Cobbs. */
 
@@ -205,7 +205,7 @@ decode_udp_ip_header(struct interface_info *interface, unsigned char *buf,
 		data = buf + bufix + ip_len + sizeof(*udp);
 		len = ntohs(udp->uh_ulen) - sizeof(*udp);
 		udp_packets_length_checked++;
-		if (len + data > buf + bufix + buflen) {
+		if ((len < 0) || (len + data > buf + bufix + buflen)) {
 			udp_packets_length_overflow++;
 			if (udp_packets_length_checked > 4 &&
 			    (udp_packets_length_checked /
author	krw <krw@openbsd.org>	2013-01-05 12:34:53 +0000
committer	krw <krw@openbsd.org>	2013-01-05 12:34:53 +0000
commit	0ac6e44d1dad2c48305c055a4010b42e7de58f0b (patch)
tree	29328c1d2be78bdbeb44c47d612f5797f5f09724
parent	Update sets sizes, comp52 now expands to 75MB more data. (diff)
download	wireguard-openbsd-0ac6e44d1dad2c48305c055a4010b42e7de58f0b.tar.xz wireguard-openbsd-0ac6e44d1dad2c48305c055a4010b42e7de58f0b.zip