diff options
author | Michael Brown | 2016-03-12 02:21:18 +0100 |
---|---|---|
committer | Michael Brown | 2016-03-12 02:24:03 +0100 |
commit | 64acfd9ddd73bf38802f8c57e054d13a57b14198 (patch) | |
tree | 97a1d42de582670763f60d8b21a840f4dfde6059 /src/net | |
parent | [pixbuf] Check for unsigned integer overflow on multiplication (diff) | |
download | ipxe-64acfd9ddd73bf38802f8c57e054d13a57b14198.tar.gz ipxe-64acfd9ddd73bf38802f8c57e054d13a57b14198.tar.xz ipxe-64acfd9ddd73bf38802f8c57e054d13a57b14198.zip |
[arp] Validate length of ARP packet
There is no practical way to generate an underlength ARP packet since
an ARP packet is always padded up to the minimum Ethernet frame length
(or dropped by the receiving Ethernet hardware if incorrectly padded),
but the absence of an explicit check causes warnings from some
analysis tools.
Fix by adding an explicit check on the I/O buffer length.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net')
-rw-r--r-- | src/net/arp.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/net/arp.c b/src/net/arp.c index 1e27c44e..c9b4109a 100644 --- a/src/net/arp.c +++ b/src/net/arp.c @@ -139,8 +139,15 @@ static int arp_rx ( struct io_buffer *iobuf, struct net_device *netdev, struct arp_net_protocol *arp_net_protocol; struct net_protocol *net_protocol; struct ll_protocol *ll_protocol; + size_t len = iob_len ( iobuf ); int rc; + /* Sanity check */ + if ( ( len < sizeof ( *arphdr ) ) || ( len < arp_len ( arphdr ) ) ) { + rc = -EINVAL; + goto done; + } + /* Identify network-layer and link-layer protocols */ arp_net_protocol = arp_find_protocol ( arphdr->ar_pro ); if ( ! arp_net_protocol ) { |