diff options
| author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2021-06-06 16:35:29 +0200 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2021-06-06 17:06:25 +0200 |
| commit | fedf9f1815d1d79d95c7d55678c463ec139adde8 (patch) | |
| tree | e884ad75f1934d268251db87e699d9038e231c49 | |
| parent | dfe1229fc8f707f76b3f4d09078ab5e9b5817469 (diff) | |
| download | slirp-fedf9f1815d1d79d95c7d55678c463ec139adde8.zip slirp-fedf9f1815d1d79d95c7d55678c463ec139adde8.tar.gz slirp-fedf9f1815d1d79d95c7d55678c463ec139adde8.tar.bz2 | |
Check that we have the expected room before m_data
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
| -rw-r--r-- | src/ip6_icmp.c | 5 | ||||
| -rw-r--r-- | src/ip6_input.c | 2 | ||||
| -rw-r--r-- | src/ip_input.c | 2 | ||||
| -rw-r--r-- | src/mbuf.h | 7 | ||||
| -rw-r--r-- | src/tcp_input.c | 10 | ||||
| -rw-r--r-- | src/udp.c | 2 | ||||
| -rw-r--r-- | src/udp6.c | 2 |
7 files changed, 30 insertions, 0 deletions
diff --git a/src/ip6_icmp.c b/src/ip6_icmp.c index 119c8be..21b1407 100644 --- a/src/ip6_icmp.c +++ b/src/ip6_icmp.c @@ -321,6 +321,8 @@ static void ndp_send_na(Slirp *slirp, struct ip6 *ip, struct icmp6 *icmp) static void ndp_input(struct mbuf *m, Slirp *slirp, struct ip6 *ip, struct icmp6 *icmp) { + g_assert(M_ROOMBEFORE(m) >= ETH_HLEN); + m->m_len += ETH_HLEN; m->m_data -= ETH_HLEN; struct ethhdr *eth = mtod(m, struct ethhdr *); @@ -383,6 +385,9 @@ static void ndp_input(struct mbuf *m, Slirp *slirp, struct ip6 *ip, */ void icmp6_input(struct mbuf *m) { + /* NDP reads the ethernet header for gratuitous NDP */ + g_assert(M_ROOMBEFORE(m) >= ETH_HLEN); + struct icmp6 *icmp; struct ip6 *ip = mtod(m, struct ip6 *); Slirp *slirp = m->slirp; diff --git a/src/ip6_input.c b/src/ip6_input.c index a83e4f8..10c42d6 100644 --- a/src/ip6_input.c +++ b/src/ip6_input.c @@ -25,6 +25,8 @@ void ip6_input(struct mbuf *m) { struct ip6 *ip6; Slirp *slirp = m->slirp; + /* NDP reads the ethernet header for gratuitous NDP */ + g_assert(M_ROOMBEFORE(m) >= TCPIPHDR_DELTA + 2 + ETH_HLEN); if (!slirp->in6_enabled) { goto bad; diff --git a/src/ip_input.c b/src/ip_input.c index e86bed6..7ccec8d 100644 --- a/src/ip_input.c +++ b/src/ip_input.c @@ -70,6 +70,8 @@ void ip_cleanup(Slirp *slirp) void ip_input(struct mbuf *m) { Slirp *slirp = m->slirp; + g_assert(M_ROOMBEFORE(m) >= TCPIPHDR_DELTA); + register struct ip *ip; int hlen; @@ -73,6 +73,13 @@ */ #define M_FREEROOM(m) (M_ROOM(m) - (m)->m_len) +/* + * How much free room there is before m_data + */ +#define M_ROOMBEFORE(m) \ + (((m)->m_flags & M_EXT) ? (m)->m_data - (m)->m_ext \ + : (m)->m_data - (m)->m_dat) + struct mbuf { /* XXX should union some of these! */ /* header at beginning of each mbuf: */ diff --git a/src/tcp_input.c b/src/tcp_input.c index 01e4c19..e6f5722 100644 --- a/src/tcp_input.c +++ b/src/tcp_input.c @@ -233,6 +233,16 @@ void tcp_input(struct mbuf *m, int iphlen, struct socket *inso, goto cont_conn; } slirp = m->slirp; + switch (af) { + case AF_INET: + g_assert(M_ROOMBEFORE(m) >= + sizeof(struct tcpiphdr) - sizeof(struct ip) - sizeof(struct tcphdr)); + break; + case AF_INET6: + g_assert(M_ROOMBEFORE(m) >= + sizeof(struct tcpiphdr) - sizeof(struct ip6) - sizeof(struct tcphdr)); + break; + } ip = mtod(m, struct ip *); ip6 = mtod(m, struct ip6 *); @@ -245,6 +245,8 @@ bad: int udp_output(struct socket *so, struct mbuf *m, struct sockaddr_in *saddr, struct sockaddr_in *daddr, int iptos) { + g_assert(M_ROOMBEFORE(m) >= sizeof(struct udpiphdr)); + register struct udpiphdr *ui; int error = 0; @@ -153,6 +153,8 @@ bad: int udp6_output(struct socket *so, struct mbuf *m, struct sockaddr_in6 *saddr, struct sockaddr_in6 *daddr) { + g_assert(M_ROOMBEFORE(m) >= sizeof(struct ip6) + sizeof(struct udphdr)); + struct ip6 *ip; struct udphdr *uh; |