diff options
| author | Ting-Wei Lan <lantw44@gmail.com> | 2014-06-20 18:27:00 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-30 12:00:28 +0200 |
| commit | 7335cbed46eb81cd4f521966ef508e18b6e8059f (patch) | |
| tree | 4be9200b0fc5e771edbacf3afd202f879e672c99 | |
| parent | 3065fb3642c8e554432059629808a62560e2184f (diff) | |
extra: fix wrong implementation in nfq_udp_get_payload
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/extra/udp.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/extra/udp.c b/src/extra/udp.c index eee732e..6e6baed 100644 --- a/src/extra/udp.c +++ b/src/extra/udp.c @@ -56,13 +56,17 @@ EXPORT_SYMBOL(nfq_udp_get_hdr); */ void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb) { - unsigned int doff = udph->len; + uint16_t len = ntohs(udph->len); - /* malformed UDP data offset. */ - if (pktb->transport_header + doff > pktb->tail) + /* the UDP packet is too short. */ + if (len < sizeof(struct udphdr)) return NULL; - return pktb->transport_header + doff; + /* malformed UDP packet. */ + if (pktb->transport_header + len > pktb->tail) + return NULL; + + return pktb->transport_header + sizeof(struct udphdr); } EXPORT_SYMBOL(nfq_udp_get_payload); |