icmp: Correct off by one errors dealing with number of echo request ids
ICMP echo request and reply packets include a 16-bit 'id' value. We have some arrays indexed by this id value. Unfortunately we size those arrays with USHRT_MAX (65535) when they need to be sized by the total number of id values (65536). This could lead to buffer overruns. Resize the arrays correctly, using a new define for the purpose. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
David Gibson
Stefano Brivio
parent
d5b80ccc72
commit
8978f6552b
1 changed files with 3 additions and 2 deletions
5
icmp.c
5
icmp.c
|
|
@ -39,6 +39,7 @@
|
||||||
#include "icmp.h"
|
#include "icmp.h"
|
||||||
|
|
||||||
#define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */
|
#define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */
|
||||||
|
#define ICMP_NUM_IDS (1U << 16)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct icmp_id_sock - Tracking information for single ICMP echo identifier
|
* struct icmp_id_sock - Tracking information for single ICMP echo identifier
|
||||||
|
|
@ -53,10 +54,10 @@ struct icmp_id_sock {
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Indexed by ICMP echo identifier */
|
/* Indexed by ICMP echo identifier */
|
||||||
static struct icmp_id_sock icmp_id_map [IP_VERSIONS][USHRT_MAX];
|
static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS];
|
||||||
|
|
||||||
/* Bitmaps, activity monitoring needed for identifier */
|
/* Bitmaps, activity monitoring needed for identifier */
|
||||||
static uint8_t icmp_act [IP_VERSIONS][USHRT_MAX / 8];
|
static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* icmp_sock_handler() - Handle new data from socket
|
* icmp_sock_handler() - Handle new data from socket
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue