Fix insufficient length validation in TCP packets.

Found via cargo-fuzz.
This commit is contained in:
whitequark 2017-06-24 12:29:39 +00:00
parent c73af2b247
commit fce23593fc
1 changed files with 12 additions and 0 deletions

View File

@ -118,6 +118,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
/// Ensure that no accessor method will panic if called.
/// Returns `Err(Error::Truncated)` if the buffer is too short.
/// Returns `Err(Error::Malformed)` if the header length field has a value smaller
/// than the minimal header length.
///
/// The result of this check is invalidated by calling [set_header_len].
///
@ -130,6 +132,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
let header_len = self.header_len() as usize;
if len < header_len {
Err(Error::Truncated)
} else if header_len < field::URGENT.end {
Err(Error::Malformed)
} else {
Ok(())
}
@ -877,6 +881,14 @@ mod test {
assert_eq!(packet.check_len(), Err(Error::Truncated));
}
#[test]
fn test_impossible_len() {
let mut bytes = vec![0; 20];
let mut packet = Packet::new(&mut bytes);
packet.set_header_len(10);
assert_eq!(packet.check_len(), Err(Error::Malformed));
}
static SYN_PACKET_BYTES: [u8; 24] =
[0xbf, 0x00, 0x00, 0x50,
0x01, 0x23, 0x45, 0x67,