diff options
| author | Håkon Nessjøen <haakon.nessjoen@gmail.com> | 2011-11-02 20:42:17 +0100 |
|---|---|---|
| committer | Håkon Nessjøen <haakon.nessjoen@gmail.com> | 2011-11-02 20:42:17 +0100 |
| commit | 75ff364cd556c1ad8cfe742f0d58d5751807c111 (patch) | |
| tree | 977b4374202896e505952fa849ca3a48d07437eb | |
| parent | 2df57f592c0760b15707e87537e29aebaa83ee87 (diff) | |
| download | MAC-Telnet-75ff364cd556c1ad8cfe742f0d58d5751807c111.tar.gz MAC-Telnet-75ff364cd556c1ad8cfe742f0d58d5751807c111.zip | |
Buffer overflow prevention.
| -rw-r--r-- | protocol.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -221,6 +221,11 @@ int parse_control_packet(unsigned char *packetdata, int data_len, struct mt_mact /* Control packet data length */ memcpy(&(cpkthdr->length), data + 5, sizeof(cpkthdr->length)); cpkthdr->length = ntohl(cpkthdr->length); + + /* We want no buffer overflows */ + if (cpkthdr->length >= MT_PACKET_LEN - 22 - int_pos) { + cpkthdr->length = MT_PACKET_LEN - 1 - 22 - int_pos; + } /* Set pointer to actual data */ cpkthdr->data = data + 9; |