mirror
/
devilutionX-lwip-contrib
mirror of https://github.com/diasurgical/lwip-contrib.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix bug #53705: Buffer overflow in low_level_output in tapif.c (port for Unix) 

Was also present in tunif.c. While on it, also correct low_level_output() return values
master
Dirk Ziegelmeier 8 years ago
parent
bfaf31b051
commit
39d8e0bc48
2 changed files with 32 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      ports/unix/port/netif/tapif.c
  2. 26
      ports/unix/port/netif/tunif.c

20
ports/unix/port/netif/tapif.c
Unescape View File

@ -223,29 +223,35 @@ static err_t
low_level_output(struct netif *netif, struct pbuf *p)
{
struct tapif *tapif = (struct tapif *)netif->state;
char buf[1514];
char buf[1518]; /* max packet size including VLAN excluding CRC */
ssize_t written;
#if 0
if (((double)rand()/(double)RAND_MAX) < 0.2) {
printf("drop output\n");
return ERR_OK;
return ERR_OK; /* ERR_OK because we simulate packet loss on cable */
}
#endif
if (p->tot_len > sizeof(buf)) {
MIB2_STATS_NETIF_INC(netif, ifoutdiscards);
perror("tapif: packet too large");
return ERR_IF;
}
/* initiate transfer(); */
pbuf_copy_partial(p, buf, p->tot_len, 0);
/* signal that packet should be sent(); */
written = write(tapif->fd, buf, p->tot_len);
if (written < 0) {
if (written < p->tot_len) {
MIB2_STATS_NETIF_INC(netif, ifoutdiscards);
perror("tapif: write");
}
else {
return ERR_IF;
} else {
MIB2_STATS_NETIF_ADD(netif, ifoutoctets, (u32_t)written);
return ERR_OK;
}
return ERR_OK;
}
/*-----------------------------------------------------------------------------------*/
/*
@ -262,7 +268,7 @@ low_level_input(struct netif *netif)
struct pbuf *p;
u16_t len;
ssize_t readlen;
char buf[1514];
char buf[1518]; /* max packet size including VLAN excluding CRC */
struct tapif *tapif = (struct tapif *)netif->state;
/* Obtain the size of the packet and put it into the "len"

26
ports/unix/port/netif/tunif.c
Unescape View File

@ -125,23 +125,35 @@ static err_t
low_level_output(struct tunif *tunif, struct pbuf *p)
{
char buf[1500];
int rnd_val;
ssize_t written;
/* initiate transfer(); */
rnd_val = rand();
if (((double)rnd_val/(double)RAND_MAX) < 0.4) {
printf("drop\n");
return ERR_OK;
#if 0
if (((double)rand()/(double)RAND_MAX) < 0.4) {
printf("drop output\n");
return ERR_OK; /* ERR_OK because we simulate packet loss on cable */
}
#endif
if (p->tot_len > sizeof(buf)) {
MIB2_STATS_NETIF_INC(netif, ifoutdiscards);
perror("tunif: packet too large");
return ERR_IF;
}
pbuf_copy_partial(p, buf, p->tot_len, 0);
/* signal that packet should be sent(); */
if (write(tunif->fd, buf, p->tot_len) == -1) {
written = write(tunif->fd, buf, p->tot_len);
if (written < p->tot_len) {
MIB2_STATS_NETIF_INC(netif, ifoutdiscards);
perror("tunif: write");
return ERR_IF;
} else {
MIB2_STATS_NETIF_ADD(netif, ifoutoctets, (u32_t)written);
return ERR_OK;
}
return ERR_OK;
}
/*-----------------------------------------------------------------------------------*/
/*

Write Preview
Loading…
Cancel
Save