mirror of git://git.sysmocom.de/ofono
ppp: Add basic length sanity checks
This commit is contained in:
parent
e893deac59
commit
2eb4611de8
|
@ -214,17 +214,18 @@ static void ppp_receive(const unsigned char *buf, gsize len, void *data)
|
|||
|
||||
switch (protocol) {
|
||||
case PPP_IP_PROTO:
|
||||
ppp_net_process_packet(ppp->net, packet);
|
||||
ppp_net_process_packet(ppp->net, packet, len - offset);
|
||||
break;
|
||||
case LCP_PROTOCOL:
|
||||
pppcp_process_packet(ppp->lcp, packet);
|
||||
pppcp_process_packet(ppp->lcp, packet, len - offset);
|
||||
break;
|
||||
case IPCP_PROTO:
|
||||
pppcp_process_packet(ppp->ipcp, packet);
|
||||
pppcp_process_packet(ppp->ipcp, packet, len - offset);
|
||||
break;
|
||||
case CHAP_PROTOCOL:
|
||||
if (ppp->chap) {
|
||||
ppp_chap_process_packet(ppp->chap, packet);
|
||||
ppp_chap_process_packet(ppp->chap, packet,
|
||||
len - offset);
|
||||
break;
|
||||
}
|
||||
/* fall through */
|
||||
|
|
|
@ -98,12 +98,14 @@ void ipcp_set_server_info(struct pppcp_data *ipcp, guint32 peer_addr,
|
|||
/* CHAP related functions */
|
||||
struct ppp_chap *ppp_chap_new(GAtPPP *ppp, guint8 method);
|
||||
void ppp_chap_free(struct ppp_chap *chap);
|
||||
void ppp_chap_process_packet(struct ppp_chap *chap, const guint8 *new_packet);
|
||||
void ppp_chap_process_packet(struct ppp_chap *chap, const guint8 *new_packet,
|
||||
gsize len);
|
||||
|
||||
/* TUN / Network related functions */
|
||||
struct ppp_net *ppp_net_new(GAtPPP *ppp, int fd);
|
||||
const char *ppp_net_get_interface(struct ppp_net *net);
|
||||
void ppp_net_process_packet(struct ppp_net *net, const guint8 *packet);
|
||||
void ppp_net_process_packet(struct ppp_net *net, const guint8 *packet,
|
||||
gsize len);
|
||||
void ppp_net_free(struct ppp_net *net);
|
||||
gboolean ppp_net_set_mtu(struct ppp_net *net, guint16 mtu);
|
||||
void ppp_net_suspend_interface(struct ppp_net *net);
|
||||
|
|
|
@ -118,9 +118,15 @@ challenge_out:
|
|||
/*
|
||||
* parse the packet
|
||||
*/
|
||||
void ppp_chap_process_packet(struct ppp_chap *chap, const guint8 *new_packet)
|
||||
void ppp_chap_process_packet(struct ppp_chap *chap, const guint8 *new_packet,
|
||||
gsize len)
|
||||
{
|
||||
guint8 code = new_packet[0];
|
||||
guint8 code;
|
||||
|
||||
if (len < sizeof(struct chap_header))
|
||||
return;
|
||||
|
||||
code = new_packet[0];
|
||||
|
||||
switch (code) {
|
||||
case CHALLENGE:
|
||||
|
|
|
@ -945,7 +945,7 @@ void pppcp_send_protocol_reject(struct pppcp_data *data,
|
|||
/*
|
||||
* parse the packet and determine which event this packet caused
|
||||
*/
|
||||
void pppcp_process_packet(gpointer priv, const guint8 *new_packet)
|
||||
void pppcp_process_packet(gpointer priv, const guint8 *new_packet, gsize len)
|
||||
{
|
||||
struct pppcp_data *data = priv;
|
||||
const struct pppcp_packet *packet =
|
||||
|
@ -953,7 +953,7 @@ void pppcp_process_packet(gpointer priv, const guint8 *new_packet)
|
|||
guint8 event_type;
|
||||
guint data_len = 0;
|
||||
|
||||
if (data == NULL)
|
||||
if (len < sizeof(struct pppcp_packet))
|
||||
return;
|
||||
|
||||
/* check flags to see if we support this code */
|
||||
|
|
|
@ -117,7 +117,7 @@ void pppcp_set_local_options(struct pppcp_data *data,
|
|||
const guint8 *options,
|
||||
guint16 len);
|
||||
|
||||
void pppcp_process_packet(gpointer priv, const guint8 *new_packet);
|
||||
void pppcp_process_packet(gpointer priv, const guint8 *new_packet, gsize len);
|
||||
void pppcp_send_protocol_reject(struct pppcp_data *data,
|
||||
const guint8 *rejected_packet, gsize len);
|
||||
void pppcp_signal_open(struct pppcp_data *data);
|
||||
|
|
|
@ -77,16 +77,22 @@ gboolean ppp_net_set_mtu(struct ppp_net *net, guint16 mtu)
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
void ppp_net_process_packet(struct ppp_net *net, const guint8 *packet)
|
||||
void ppp_net_process_packet(struct ppp_net *net, const guint8 *packet,
|
||||
gsize plen)
|
||||
{
|
||||
GIOStatus status;
|
||||
gsize bytes_written;
|
||||
guint16 len;
|
||||
|
||||
if (plen < 4)
|
||||
return;
|
||||
|
||||
/* find the length of the packet to transmit */
|
||||
len = get_host_short(&packet[2]);
|
||||
status = g_io_channel_write_chars(net->channel, (gchar *) packet,
|
||||
len, &bytes_written, NULL);
|
||||
MIN(len, plen),
|
||||
&bytes_written, NULL);
|
||||
|
||||
if (status != G_IO_STATUS_NORMAL)
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue