In certain cases buf.len can be -1, which causes BPTR to return NULL and
NULL pointer dereferencing on the next line.
As a fix, process only packets with non-zero length.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1423226280-9580-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9444
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -52,20 +52,19 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) |
52 | 52 |
struct multi_instance *mi = NULL; |
53 | 53 |
struct hash *hash = m->hash; |
54 | 54 |
|
55 |
- if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true)) |
|
55 |
+ if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true) && |
|
56 |
+ m->top.c2.buf.len > 0) |
|
56 | 57 |
{ |
57 | 58 |
struct hash_element *he; |
58 | 59 |
const uint32_t hv = hash_value (hash, &real); |
59 | 60 |
struct hash_bucket *bucket = hash_bucket (hash, hv); |
60 | 61 |
uint8_t* ptr = BPTR(&m->top.c2.buf); |
61 | 62 |
uint8_t op = ptr[0] >> P_OPCODE_SHIFT; |
62 |
- uint32_t peer_id; |
|
63 |
- int i; |
|
64 | 63 |
|
65 | 64 |
/* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ |
66 | 65 |
if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3)) |
67 | 66 |
{ |
68 |
- peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF; |
|
67 |
+ uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF; |
|
69 | 68 |
if ((peer_id < m->max_clients) && (m->instances[peer_id])) |
70 | 69 |
{ |
71 | 70 |
mi = m->instances[peer_id]; |
... | ... |
@@ -99,6 +98,8 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) |
99 | 99 |
mi = multi_create_instance (m, &real); |
100 | 100 |
if (mi) |
101 | 101 |
{ |
102 |
+ int i; |
|
103 |
+ |
|
102 | 104 |
hash_add_fast (hash, bucket, &mi->real, hv, mi); |
103 | 105 |
mi->did_real_hash = true; |
104 | 106 |
|