From 75ff364cd556c1ad8cfe742f0d58d5751807c111 Mon Sep 17 00:00:00 2001
From: Håkon Nessjøen <haakon.nessjoen@gmail.com>
Date: Wed, 2 Nov 2011 20:42:17 +0100
Subject: Buffer overflow prevention.

---
 protocol.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/protocol.c b/protocol.c
index 5800a7e..d9ba0a1 100644
--- a/protocol.c
+++ b/protocol.c
@@ -221,6 +221,11 @@ int parse_control_packet(unsigned char *packetdata, int data_len, struct mt_mact
 		/* Control packet data length */
 		memcpy(&(cpkthdr->length), data + 5, sizeof(cpkthdr->length));
 		cpkthdr->length = ntohl(cpkthdr->length);
+		
+		/* We want no buffer overflows */
+		if (cpkthdr->length >= MT_PACKET_LEN - 22 - int_pos) {
+			cpkthdr->length = MT_PACKET_LEN - 1 - 22 - int_pos;
+		}
 
 		/* Set pointer to actual data */
 		cpkthdr->data = data + 9;
-- 
cgit v1.2.3