diff options
author | Andrey Smirnov <andrey.smirnov@talos-systems.com> | 2021-12-13 22:09:15 +0300 |
---|---|---|
committer | Chris K <c@chrisko.ch> | 2021-12-13 23:08:28 -0800 |
commit | 5297eed8f4898e7a29898c70d6450d2daebecd17 (patch) | |
tree | 56bf7ba3df3da2c032d2e9bd58f22c3dded21a67 /dhcpv4/nclient4 | |
parent | 7d93572ebe8e3ba39a15bc7b70757c83a5fb8352 (diff) |
fix: check IP/UDP header size before trying to access it
This should fix the panic we've seen with the malformed packets on the
wire. Remaining buffer size should be checked before trying to access
the data, otherwise Go might panic on out of bounds slice operation.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Diffstat (limited to 'dhcpv4/nclient4')
-rw-r--r-- | dhcpv4/nclient4/conn_linux.go | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/dhcpv4/nclient4/conn_linux.go b/dhcpv4/nclient4/conn_linux.go index 2fe69ce..6cdb071 100644 --- a/dhcpv4/nclient4/conn_linux.go +++ b/dhcpv4/nclient4/conn_linux.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build go1.12 // +build go1.12 package nclient4 @@ -98,12 +99,26 @@ func (upc *BroadcastRawUDPConn) ReadFrom(b []byte) (int, net.Addr, error) { buf := uio.NewBigEndianBuffer(pkt) // To read the header length, access data directly. + if !buf.Has(ipv4MinimumSize) { + continue + } + ipHdr := ipv4(buf.Data()) + + if !buf.Has(int(ipHdr.headerLength())) { + continue + } + ipHdr = ipv4(buf.Consume(int(ipHdr.headerLength()))) if ipHdr.transportProtocol() != udpProtocolNumber { continue } + + if !buf.Has(udpHdrLen) { + continue + } + udpHdr := udp(buf.Consume(udpHdrLen)) addr := &net.UDPAddr{ |