Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate the messageLength field of incoming messages.
The PTP messageLength field is redundant because the length of a PTP message is precisely determined by the message type and the appended TLVs. The current implementation validates the sizes of both the main message (according to the fixed header length and fixed length by type) and the TLVs (by using the 'L' of the TLV). However, when forwarding a message, the messageLength field is used. If a message arrives with a messageLength field larger than the actual message size, the code will read and possibly write data beyond the allocated buffer. Fix the issue by validating the field on ingress. This prevents reading and sending data past the message buffer when forwarding a management message or other messages when operating as a transparent clock, and it also prevents a memory corruption in msg_post_recv() after forwarding a management message. Reported-by: Miroslav Lichvar <mlichvar@redhat.com> Signed-off-by: Richard Cochran <richardcochran@gmail.com>
- Loading branch information