Rev 555: more careful checking of lengths in http://samba.org/~tridge/ctdb

Wed Jul 4 06:22:09 GMT 2007

------------------------------------------------------------
revno: 555
revision-id: tridge at samba.org-20070704062209-pw3hnhxw7ambmvcf
parent: tridge at samba.org-20070704045133-umv584idgrsbj03e
committer: Andrew Tridgell <tridge at samba.org>
branch nick: tridge
timestamp: Wed 2007-07-04 16:22:09 +1000
message:
  more careful checking of lengths
modified:
  takeover/system.c              system.c-20070525071636-a5n1ihghjtppy08r-3
=== modified file 'takeover/system.c'

--- a/takeover/system.c	2007-07-04 03:53:22 +0000
+++ b/takeover/system.c	2007-07-04 06:22:09 +0000
@@ -484,7 +484,7 @@
 		event_loop_once(ev);
 
 		ret = recv(s, pkt, RCVPKTSIZE, MSG_TRUNC);
-		if (ret<40) {
+		if (ret < sizeof(*eth)+sizeof(*ip)) {
 			continue;
 		}
 
@@ -496,7 +496,7 @@
 		}
 	
 		/* IP */
-		ip = (struct iphdr *)&pkt[14];
+		ip = (struct iphdr *)(eth+1);
 		/* We only want IPv4 packets */
 		if (ip->version != 4) {
 			continue;
@@ -519,8 +519,15 @@
 			continue;
 		}
 
+		/* make sure its not a short packet */
+		if (offsetof(struct tcphdr, ack_seq) + 4 + 
+		    (ip->ihl*4) + sizeof(*eth) > ret) {
+			continue;
+		}
+
 		/* TCP */
-		tcp = (struct tcphdr *)&pkt[14+ip->ihl*4];
+		tcp = (struct tcphdr *)((ip->ihl*4) + (char *)ip);
+		
 		/* We only want replies from the port we tickled */
 		if (tcp->source != dst->sin_port) {
 			continue;

