From 7335cbed46eb81cd4f521966ef508e18b6e8059f Mon Sep 17 00:00:00 2001
From: Ting-Wei Lan <lantw44@gmail.com>
Date: Fri, 20 Jun 2014 18:27:00 +0800
Subject: extra: fix wrong implementation in nfq_udp_get_payload

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/extra/udp.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/extra/udp.c b/src/extra/udp.c
index eee732e..6e6baed 100644
--- a/src/extra/udp.c
+++ b/src/extra/udp.c
@@ -56,13 +56,17 @@ EXPORT_SYMBOL(nfq_udp_get_hdr);
  */
 void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb)
 {
-	unsigned int doff = udph->len;
+	uint16_t len = ntohs(udph->len);
 
-	/* malformed UDP data offset. */
-	if (pktb->transport_header + doff > pktb->tail)
+	/* the UDP packet is too short. */
+	if (len < sizeof(struct udphdr))
 		return NULL;
 
-	return pktb->transport_header + doff;
+	/* malformed UDP packet. */
+	if (pktb->transport_header + len > pktb->tail)
+		return NULL;
+
+	return pktb->transport_header + sizeof(struct udphdr);
 }
 EXPORT_SYMBOL(nfq_udp_get_payload);
 
-- 
cgit v1.2.3