Check pktlen against input buffer size - warp-vpn - point to point VPN implementation

commit 0ae9423d7c9b6a3ac2efc064bc5e977b0ef8a6ee
parent 8156207617024e8548d0d491f4aba95a691d8bfd
Author: sin <sin@2f30.org>
Date:   Sat, 26 Mar 2016 10:49:08 +0000

Check pktlen against input buffer size

Diffstat:
M stun.c  | 6 ++++--

1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/stun.c b/stun.c
@@ -403,8 +403,10 @@ readnet(int fd, unsigned char *buf, int len)
 	n = readall(fd, hdr, sizeof(hdr));
 	if (n <= 0)
 		return n;
-	paddedlen = padto(pktlen = unpack16(hdr), AES_BLOCK_SIZE);
-	if (paddedlen < 0 || paddedlen > MTU + AES_BLOCK_SIZE) {
+	pktlen = unpack16(hdr);
+	paddedlen = padto(pktlen, AES_BLOCK_SIZE);
+	if (pktlen < 0 || pktlen > len ||
+	    paddedlen < 0 || paddedlen > MTU + AES_BLOCK_SIZE) {
 		logwarn("bogus payload length: %d", paddedlen);
 		return -1;
 	}

	warp-vpn point to point VPN implementation
	git clone git://git.2f30.org/warp-vpn
	Log \| Files \| Refs \| README