summaryrefslogtreecommitdiffhomepage
path: root/dhcpv4/nclient4
diff options
context:
space:
mode:
authorAndrey Smirnov <andrey.smirnov@talos-systems.com>2021-12-13 22:09:15 +0300
committerChris K <c@chrisko.ch>2021-12-13 23:08:28 -0800
commit5297eed8f4898e7a29898c70d6450d2daebecd17 (patch)
tree56bf7ba3df3da2c032d2e9bd58f22c3dded21a67 /dhcpv4/nclient4
parent7d93572ebe8e3ba39a15bc7b70757c83a5fb8352 (diff)
fix: check IP/UDP header size before trying to access it
This should fix the panic we've seen with the malformed packets on the wire. Remaining buffer size should be checked before trying to access the data, otherwise Go might panic on out of bounds slice operation. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Diffstat (limited to 'dhcpv4/nclient4')
-rw-r--r--dhcpv4/nclient4/conn_linux.go15
1 files changed, 15 insertions, 0 deletions
diff --git a/dhcpv4/nclient4/conn_linux.go b/dhcpv4/nclient4/conn_linux.go
index 2fe69ce..6cdb071 100644
--- a/dhcpv4/nclient4/conn_linux.go
+++ b/dhcpv4/nclient4/conn_linux.go
@@ -2,6 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
+//go:build go1.12
// +build go1.12
package nclient4
@@ -98,12 +99,26 @@ func (upc *BroadcastRawUDPConn) ReadFrom(b []byte) (int, net.Addr, error) {
buf := uio.NewBigEndianBuffer(pkt)
// To read the header length, access data directly.
+ if !buf.Has(ipv4MinimumSize) {
+ continue
+ }
+
ipHdr := ipv4(buf.Data())
+
+ if !buf.Has(int(ipHdr.headerLength())) {
+ continue
+ }
+
ipHdr = ipv4(buf.Consume(int(ipHdr.headerLength())))
if ipHdr.transportProtocol() != udpProtocolNumber {
continue
}
+
+ if !buf.Has(udpHdrLen) {
+ continue
+ }
+
udpHdr := udp(buf.Consume(udpHdrLen))
addr := &net.UDPAddr{