More checks for correct header sizes

Reported-by: "P. Amsuo, Purdue University"
virtualsquare · May 14, 2023 · 4b9a167 · 4b9a167
1 parent d561990
commit 4b9a167
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/modules/pico_ipv4.c b/modules/pico_ipv4.c
@@ -668,6 +668,11 @@ static int pico_ipv4_process_in(struct pico_stack *S, struct pico_protocol *self
     f->transport_hdr = ((uint8_t *)f->net_hdr) + PICO_SIZE_IP4HDR + option_len;
     f->transport_len = (uint16_t)(short_be(hdr->len) - PICO_SIZE_IP4HDR - option_len);
     f->net_len = (uint16_t)(PICO_SIZE_IP4HDR + option_len);
+
+    if ((f->net_hdr + f->net_len) > (f->buffer + f->buffer_len)) {
+        pico_frame_discard(f);
+        return 0;
+    }
 #if defined(PICO_SUPPORT_IPV4FRAG) || defined(PICO_SUPPORT_IPV6FRAG)
     f->frag = short_be(hdr->frag);
 #endif

diff --git a/modules/pico_tcp.c b/modules/pico_tcp.c
@@ -868,6 +868,9 @@ static inline void tcp_parse_option_mss(struct pico_socket_tcp *t, uint8_t len,
     if (tcpopt_len_check(idx, len, PICO_TCPOPTLEN_MSS) < 0)
         return;
 
+    if ((*idx + PICO_TCPOPTLEN_MSS) > len)
+        return;
+
     t->mss_ok = 1;
     mss = short_from(opt + *idx);
     *idx += (uint32_t)sizeof(uint16_t);
@@ -896,6 +899,10 @@ static int tcp_parse_options(struct pico_frame *f)
     uint8_t *opt = f->transport_hdr + PICO_SIZE_TCPHDR;
     uint32_t i = 0;
     f->timestamp = 0;
+
+    if (f->buffer + f->buffer_len > f->transport_hdr + f->transport_len)
+        return -1;
+
     while (i < (f->transport_len - PICO_SIZE_TCPHDR)) {
         uint8_t type =  opt[i++];
         uint8_t len;