check UDP packet length before checksumming it in valid_udp_packet()#8
Closed
maciejsszmigiero wants to merge 1 commit intoNetworkConfiguration:masterfrom
maciejsszmigiero:dhcp-udp-length-check
Closed
check UDP packet length before checksumming it in valid_udp_packet()#8maciejsszmigiero wants to merge 1 commit intoNetworkConfiguration:masterfrom maciejsszmigiero:dhcp-udp-length-check
maciejsszmigiero wants to merge 1 commit intoNetworkConfiguration:masterfrom
maciejsszmigiero:dhcp-udp-length-check
Conversation
…ket() dhcpcd sometimes crashes on Linux when it reads a truncated UDP packet, causing valid_udp_packet() to read past the buffer when checksumming it. This issue can be fixed by adding explicit packet length checks to this function. The BPF filter code loaded into the OS kernel checks the received packet length, but it looks like reading a truncated packet from the kernel is still possible.
Member
|
Thanks for the excellent patch and commentary. This fixes a recently reported crash I was unable to solve and is a better fix from another submitter. I've adjusted your patch slightly to move the length check before the don't checksum check as well because we don't want to skip it for sure! I've given you credit in commit c9fc5a5 Many thanks! |
Contributor
Author
|
Thank you for your kind words. I see that you dropped the check for ip_hlen. Is it safe to do so? |
Member
|
Totally my bad. I have no idea how that got lost! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dhcpcd sometimes crashes on Linux when it reads a truncated UDP packet,
causing valid_udp_packet() to read past the buffer when checksumming it.
This issue can be fixed by adding explicit packet length checks to this
function.
The BPF filter code loaded into the OS kernel checks the received packet
length, but it looks like reading a truncated packet from the kernel is
still possible.