fix: check IP/UDP header size before trying to access it

This should fix the panic we've seen with the malformed packets on the wire. Remaining buffer size should be checked before trying to access the data, otherwise Go might panic on out of bounds slice operation. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
author: Andrey Smirnov <andrey.smirnov@talos-systems.com> 2021-12-13 22:09:15 +0300
committer: Chris K <c@chrisko.ch> 2021-12-13 23:08:28 -0800
commit: 5297eed8f4898e7a29898c70d6450d2daebecd17 (patch)
tree: 56bf7ba3df3da2c032d2e9bd58f22c3dded21a67 /dhcpv4
parent: 7d93572ebe8e3ba39a15bc7b70757c83a5fb8352 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/dhcpv4/nclient4/conn_linux.go b/dhcpv4/nclient4/conn_linux.go
index 2fe69ce..6cdb071 100644
--- a/dhcpv4/nclient4/conn_linux.go
+++ b/dhcpv4/nclient4/conn_linux.go
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build go1.12
 // +build go1.12
 
 package nclient4
@@ -98,12 +99,26 @@ func (upc *BroadcastRawUDPConn) ReadFrom(b []byte) (int, net.Addr, error) {
 		buf := uio.NewBigEndianBuffer(pkt)
 
 		// To read the header length, access data directly.
+		if !buf.Has(ipv4MinimumSize) {
+			continue
+		}
+
 		ipHdr := ipv4(buf.Data())
+
+		if !buf.Has(int(ipHdr.headerLength())) {
+			continue
+		}
+
 		ipHdr = ipv4(buf.Consume(int(ipHdr.headerLength())))
 
 		if ipHdr.transportProtocol() != udpProtocolNumber {
 			continue
 		}
+
+		if !buf.Has(udpHdrLen) {
+			continue
+		}
+
 		udpHdr := udp(buf.Consume(udpHdrLen))
 
 		addr := &net.UDPAddr{
author	Andrey Smirnov <andrey.smirnov@talos-systems.com>	2021-12-13 22:09:15 +0300
committer	Chris K <c@chrisko.ch>	2021-12-13 23:08:28 -0800
commit	5297eed8f4898e7a29898c70d6450d2daebecd17 (patch)
tree	56bf7ba3df3da2c032d2e9bd58f22c3dded21a67 /dhcpv4
parent	7d93572ebe8e3ba39a15bc7b70757c83a5fb8352 (diff)