Insert checks for truncated headers and too long options

diff --git a/dccp2tcp.c b/dccp2tcp.c
index 651d98bcce0965012b317e0f7e631fb516d4d6f2..9b1990f42ca6fa5e5e8ee4fc22b23bd0cd36c60d 100644 (file)
--- a/dccp2tcp.c
+++ b/dccp2tcp.c
@@ -202,8 +202,8 @@ int convert_packet(struct packet *new, const struct const_packet* old)
                exit(1);
                return 0;
        }
-       if(old->length < sizeof(struct dccp_hdr) || new->length < sizeof(struct dccp_hdr)){
-               dbgprintf(0, "Error: Convert Packet Function given packet of wrong size!\n");
+       if(old->length < (sizeof(struct dccp_hdr) + sizeof(struct dccp_hdr_ext)) || new->length < sizeof(struct dccp_hdr)){
+               dbgprintf(0, "Error: DCCP Packet Too short!\n");
                return 0;
        }
 
@@ -225,6 +225,17 @@ int convert_packet(struct packet *new, const struct const_packet* old)
                return 0;
        }
 
+       /*Ensure packet is at least as large as DCCP header*/
+       if(old->length < dccph->dccph_doff*4){
+               dbgprintf(0, "Error: DCCP Header truncated\n");
+               return 0;
+       }
+       if(dccph->dccph_type!=DCCP_PKT_DATA &&
+                       old->length < (sizeof(struct dccp_hdr) + sizeof(struct dccp_hdr_ext) +
+                       sizeof(struct dccp_hdr_ack_bits))){
+               dbgprintf(0, "Error: DCCP Packet Too short!\n");
+       }
+
        /*determine data length*/
        datalength=old->length - dccph->dccph_doff*4;
        pd=old->data + dccph->dccph_doff*4;
@@ -506,7 +517,6 @@ unsigned int interp_ack_vect(u_char* hdr)
 
        /*parse options*/
        while(optlen > 0){
-               len=*(opt+1);
 
                /*One byte options (no length)*/
                if(*opt< 32){
@@ -515,6 +525,13 @@ unsigned int interp_ack_vect(u_char* hdr)
                        continue;
                }
 
+               /*Check option length*/
+               len=*(opt+1);
+               if(len > optlen){
+                       dbgprintf(0, "Warning: Option would extend into packet data\n");
+                       return additional;
+               }
+
                /*Ack Vector Option*/
                if(*opt==38 || *opt==39){
                        tmp=len-2;
@@ -536,7 +553,7 @@ unsigned int interp_ack_vect(u_char* hdr)
                                }
 
                                if(((*cur& 0xC0)!= 0xC0) && ((*cur& 0xC0)!= 0x00) && ((*cur& 0xC0)!= 0x40)){
-                                       dbgprintf(1, "Warning: Invalid Ack Vector!! (Linux will handle poorly!) -- %X\n", *cur);
+                                       dbgprintf(1, "Warning: Invalid Ack Vector!! (Linux will handle poorly!)\n");
                                }
                                tmp--;
                                cur++;
@@ -715,7 +732,6 @@ void ack_vect2sack(struct host *seq, struct tcphdr *tcph, u_char* tcpopts, u_cha
 
        /*parse options*/
        while(optlen > 0){
-               len=*(opt+1);
 
                /*One byte options (no length)*/
                if(*opt< 32){
@@ -724,6 +740,12 @@ void ack_vect2sack(struct host *seq, struct tcphdr *tcph, u_char* tcpopts, u_cha
                        continue;
                }
 
+               len=*(opt+1);
+               if(len > optlen){
+                       dbgprintf(0, "Warning: Option would extend into packet data\n");
+                       break;
+               }
+
                /*Ack Vector Option*/
                if(*opt==38 || *opt==39){
                        tmp=len-2;