check payload length validity

make sure the payload does not exceed the amount of data received
RIOT-OS · Jan 8, 2014 · 76b017a · 76b017a
1 parent ac0ec1f
commit 76b017a
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/cpu/native/net/tap.c b/cpu/native/net/tap.c
@@ -87,8 +87,13 @@ void _native_handle_tap_input(void)
                 /* XXX: check overflow */
                 p.length = ntohs(frame.field.payload.nn_header.length);
                 p.data = frame.field.payload.data;
-                DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src);
-                _nativenet_handle_packet(&p);
+                if (p.length > (nread - sizeof(struct nativenet_header))) {
+                    warnx("_native_handle_tap_input: packet with malicious length field received, discarding");
+                }
+                else {
+                    DEBUG("_native_handle_tap_input: received packet of length %"PRIu16" for %"PRIu16" from %"PRIu16"\n", p.length, p.dst, p.src);
+                    _nativenet_handle_packet(&p);
+                }
             }
         }
         else {