From 0394bf8987e300fb2fe6115962a7a355a1cae1e8 Mon Sep 17 00:00:00 2001 From: Niels Werensteijn Date: Tue, 11 Oct 2016 16:57:27 +0200 Subject: [PATCH] fixed buffer overflow --- src/ts3init_match.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/ts3init_match.c b/src/ts3init_match.c index 918f1de..acb2db4 100644 --- a/src/ts3init_match.c +++ b/src/ts3init_match.c @@ -35,7 +35,7 @@ static const struct ts3_init_header_tag ts3init_header_tag_signature = static const int header_size = 18; static int ts3init_payload_sizes[] = { 16, 20, 20, 244, -1, 1 }; - + DEFINE_PER_CPU(struct ts3init_cache_t, ts3init_cache); static bool check_header(const struct sk_buff *skb, const struct xt_action_param *par, @@ -49,7 +49,9 @@ static bool check_header(const struct sk_buff *skb, const struct xt_action_param udp = skb_header_pointer(skb, par->thoff, sizeof(*udp), &header_data->udp_buf); data_len = be16_to_cpu(udp->len) - sizeof(*udp); - if (data_len < header_size) return false; + if (data_len < header_size || + data_len > sizeof(header_data->ts3_header_buf)) + return false; ts3_header = (struct ts3_init_header*) skb_header_pointer(skb, par->thoff + sizeof(*udp), data_len, @@ -61,7 +63,7 @@ static bool check_header(const struct sk_buff *skb, const struct xt_action_param if (ts3_header->packet_id != cpu_to_be16(101)) return false; if (ts3_header->client_id != 0) return false; if (ts3_header->flags != 0x88) return false; - if (ts3_header->command >= COMMAND_MAX) return false; + if (ts3_header->command >= COMMAND_MAX) return false; /* check min_client_version if needed */ if (min_client_version) @@ -78,7 +80,7 @@ static bool check_header(const struct sk_buff *skb, const struct xt_action_param } /* payload size check*/ - expected_payload_size = ts3init_payload_sizes[ts3_header->command]; + expected_payload_size = ts3init_payload_sizes[ts3_header->command]; if (data_len != header_size + expected_payload_size) return false; header_data->udp = udp;