Przeglądaj źródła

tcp_comm: Make RX length checking more strict

Don't allow data which is too long.
Brian Starkey 2 lat temu
rodzic
commit
fc55e221d3
1 zmienionych plików z 15 dodań i 4 usunięć
  1. 15
    4
      tcp_comm.c

+ 15
- 4
tcp_comm.c Wyświetl plik

@@ -382,16 +382,27 @@ static err_t tcp_comm_client_recv(void *arg, struct tcp_pcb *tpcb, struct pbuf *
382 382
 	if (p->tot_len > 0) {
383 383
 		DEBUG_printf("tcp_comm_server_recv %d err %d\n", p->tot_len, err);
384 384
 
385
-		size_t to_copy = p->tot_len > ctx->rx_bytes_remaining ? ctx->rx_bytes_remaining : p->tot_len;
385
+		if (p->tot_len > ctx->rx_bytes_remaining) {
386
+			DEBUG_printf("more data than expected: %d vs %d\n", p->tot_len, ctx->rx_bytes_remaining);
387
+			// TODO: Invoking the error response state here feels
388
+			// like a bit of a layering violation, but this is a
389
+			// protocol error, rather than a failure in the stack
390
+			// somewhere, so it's nice to try and report it rather
391
+			// than just dropping the connection.
392
+			if (tcp_comm_error_begin(ctx)) {
393
+				return tcp_comm_client_complete(ctx, ERR_ARG);
394
+			}
395
+			return ERR_OK;
396
+		}
386 397
 
387 398
 		// Receive the buffer
388
-		if (pbuf_copy_partial(p, ctx->buf + ctx->rx_bytes_received, to_copy, 0) != to_copy) {
399
+		if (pbuf_copy_partial(p, ctx->buf + ctx->rx_bytes_received, p->tot_len, 0) != p->tot_len) {
389 400
 			DEBUG_printf("wrong copy len\n");
390 401
 			return tcp_comm_client_complete(ctx, ERR_ARG);
391 402
 		}
392 403
 
393
-		ctx->rx_bytes_received += to_copy;
394
-		ctx->rx_bytes_remaining -= to_copy;
404
+		ctx->rx_bytes_received += p->tot_len;
405
+		ctx->rx_bytes_remaining -= p->tot_len;
395 406
 		tcp_recved(tpcb, p->tot_len);
396 407
 
397 408
 		if (ctx->rx_bytes_remaining == 0) {

Ładowanie…
Anuluj
Zapisz