sd-dhcp-client: recevie_message - verify cmsg_len before reading

author: Tom Gundersen <teg@jklm.no> 2014-04-11 00:51:55 +0200
committer: Tom Gundersen <teg@jklm.no> 2014-04-11 00:52:23 +0200
commit: 48a4612e6b67ae81b93ee8e8a4b3f8efa5324270 (patch)
tree: 24de7877030beda5aa1cbcf7552a5d2ade256c42
parent: bc078e7163a826126e9ba03934978f510e9ef9e5 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
index da41c478ea..392e294ae4 100644
--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
@@ -1124,8 +1124,10 @@ static int client_receive_message_raw(sd_event_source *s, int fd,
                 return 0;
 
         for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
-                if (cmsg->cmsg_level == SOL_PACKET && cmsg->cmsg_type == PACKET_AUXDATA) {
-                        struct tpacket_auxdata *aux = (void *)CMSG_DATA(cmsg);
+                if (cmsg->cmsg_level == SOL_PACKET &&
+                    cmsg->cmsg_type == PACKET_AUXDATA &&
+                    cmsg->cmsg_len == CMSG_LEN(sizeof(struct tpacket_auxdata))) {
+                        struct tpacket_auxdata *aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg);
 
                         checksum = !(aux->tp_status & TP_STATUS_CSUMNOTREADY);
                         break;
author	Tom Gundersen <teg@jklm.no>	2014-04-11 00:51:55 +0200
committer	Tom Gundersen <teg@jklm.no>	2014-04-11 00:52:23 +0200
commit	48a4612e6b67ae81b93ee8e8a4b3f8efa5324270 (patch)
tree	24de7877030beda5aa1cbcf7552a5d2ade256c42
parent	bc078e7163a826126e9ba03934978f510e9ef9e5 (diff)