From 2fe0f8f190fb8f52d9f213d84f34059df2247941 Mon Sep 17 00:00:00 2001
From: Samuel Jero <sj323707@ohio.edu>
Date: Wed, 16 Nov 2011 18:47:27 -0500
Subject: [PATCH] Insert checks for truncated headers and too long options

---
 dccp2tcp.c | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/dccp2tcp.c b/dccp2tcp.c
index 651d98b..9b1990f 100644
--- a/dccp2tcp.c
+++ b/dccp2tcp.c
@@ -202,8 +202,8 @@ int convert_packet(struct packet *new, const struct const_packet* old)
 		exit(1);
 		return 0;
 	}
-	if(old->length < sizeof(struct dccp_hdr) || new->length < sizeof(struct dccp_hdr)){
-		dbgprintf(0, "Error: Convert Packet Function given packet of wrong size!\n");
+	if(old->length < (sizeof(struct dccp_hdr) + sizeof(struct dccp_hdr_ext)) || new->length < sizeof(struct dccp_hdr)){
+		dbgprintf(0, "Error: DCCP Packet Too short!\n");
 		return 0;
 	}
 
@@ -225,6 +225,17 @@ int convert_packet(struct packet *new, const struct const_packet* old)
 		return 0;
 	}
 
+	/*Ensure packet is at least as large as DCCP header*/
+	if(old->length < dccph->dccph_doff*4){
+		dbgprintf(0, "Error: DCCP Header truncated\n");
+		return 0;
+	}
+	if(dccph->dccph_type!=DCCP_PKT_DATA &&
+			old->length < (sizeof(struct dccp_hdr) + sizeof(struct dccp_hdr_ext) +
+			sizeof(struct dccp_hdr_ack_bits))){
+		dbgprintf(0, "Error: DCCP Packet Too short!\n");
+	}
+
 	/*determine data length*/
 	datalength=old->length - dccph->dccph_doff*4;
 	pd=old->data + dccph->dccph_doff*4;
@@ -506,7 +517,6 @@ unsigned int interp_ack_vect(u_char* hdr)
 
 	/*parse options*/
 	while(optlen > 0){
-		len=*(opt+1);
 
 		/*One byte options (no length)*/
 		if(*opt< 32){
@@ -515,6 +525,13 @@ unsigned int interp_ack_vect(u_char* hdr)
 			continue;
 		}
 
+		/*Check option length*/
+		len=*(opt+1);
+		if(len > optlen){
+			dbgprintf(0, "Warning: Option would extend into packet data\n");
+			return additional;
+		}
+
 		/*Ack Vector Option*/
 		if(*opt==38 || *opt==39){
 			tmp=len-2;
@@ -536,7 +553,7 @@ unsigned int interp_ack_vect(u_char* hdr)
 				}
 
 				if(((*cur& 0xC0)!= 0xC0) && ((*cur& 0xC0)!= 0x00) && ((*cur& 0xC0)!= 0x40)){
-					dbgprintf(1, "Warning: Invalid Ack Vector!! (Linux will handle poorly!) -- %X\n", *cur);
+					dbgprintf(1, "Warning: Invalid Ack Vector!! (Linux will handle poorly!)\n");
 				}
 				tmp--;
 				cur++;
@@ -715,7 +732,6 @@ void ack_vect2sack(struct host *seq, struct tcphdr *tcph, u_char* tcpopts, u_cha
 
 	/*parse options*/
 	while(optlen > 0){
-		len=*(opt+1);
 
 		/*One byte options (no length)*/
 		if(*opt< 32){
@@ -724,6 +740,12 @@ void ack_vect2sack(struct host *seq, struct tcphdr *tcph, u_char* tcpopts, u_cha
 			continue;
 		}
 
+		len=*(opt+1);
+		if(len > optlen){
+			dbgprintf(0, "Warning: Option would extend into packet data\n");
+			break;
+		}
+
 		/*Ack Vector Option*/
 		if(*opt==38 || *opt==39){
 			tmp=len-2;
-- 
2.39.2