Skip to content

Commit

Permalink
Fix insufficient length validation in IPv4 packets.
Browse files Browse the repository at this point in the history
Found via cargo-fuzz.
  • Loading branch information
whitequark committed Oct 2, 2017
1 parent 58c12b8 commit c8ae7bd
Showing 1 changed file with 18 additions and 6 deletions.
24 changes: 18 additions & 6 deletions src/wire/ipv4.rs
Original file line number Diff line number Diff line change
Expand Up @@ -119,19 +119,21 @@ impl<T: AsRef<[u8]>> Packet<T> {
/// Ensure that no accessor method will panic if called.
/// Returns `Err(Error::Truncated)` if the buffer is too short.
///
/// The result of this check is invalidated by calling [set_header_len].
/// The result of this check is invalidated by calling [set_header_len]
/// and [set_total_len].
///
/// [set_header_len]: #method.set_header_len
/// [set_total_len]: #method.set_total_len
pub fn check_len(&self) -> Result<()> {
let len = self.buffer.as_ref().len();
if len < field::DST_ADDR.end {
Err(Error::Truncated)
} else if len < self.header_len() as usize {
Err(Error::Truncated)
} else if len < self.total_len() as usize {
Err(Error::Truncated)
} else {
if len < self.header_len() as usize {
Err(Error::Truncated)
} else {
Ok(())
}
Ok(())
}
}

Expand Down Expand Up @@ -634,6 +636,16 @@ mod test {
PAYLOAD_BYTES.len());
}

#[test]
fn test_total_len_overflow() {
let mut bytes = vec![];
bytes.extend(&PACKET_BYTES[..]);
Packet::new(&mut bytes).set_total_len(128);

assert_eq!(Packet::new_checked(&bytes).unwrap_err(),
Error::Truncated);
}

static REPR_PACKET_BYTES: [u8; 24] =
[0x45, 0x00, 0x00, 0x18,
0x00, 0x00, 0x40, 0x00,
Expand Down

0 comments on commit c8ae7bd

Please sign in to comment.