Browse Source

tcp_comm: Make RX length checking more strict

Don't allow data which is too long.
Brian Starkey 2 years ago
parent
commit
fc55e221d3
1 changed files with 15 additions and 4 deletions
  1. 15
    4
      tcp_comm.c

+ 15
- 4
tcp_comm.c View File

382
 	if (p->tot_len > 0) {
382
 	if (p->tot_len > 0) {
383
 		DEBUG_printf("tcp_comm_server_recv %d err %d\n", p->tot_len, err);
383
 		DEBUG_printf("tcp_comm_server_recv %d err %d\n", p->tot_len, err);
384
 
384
 
385
-		size_t to_copy = p->tot_len > ctx->rx_bytes_remaining ? ctx->rx_bytes_remaining : p->tot_len;
385
+		if (p->tot_len > ctx->rx_bytes_remaining) {
386
+			DEBUG_printf("more data than expected: %d vs %d\n", p->tot_len, ctx->rx_bytes_remaining);
387
+			// TODO: Invoking the error response state here feels
388
+			// like a bit of a layering violation, but this is a
389
+			// protocol error, rather than a failure in the stack
390
+			// somewhere, so it's nice to try and report it rather
391
+			// than just dropping the connection.
392
+			if (tcp_comm_error_begin(ctx)) {
393
+				return tcp_comm_client_complete(ctx, ERR_ARG);
394
+			}
395
+			return ERR_OK;
396
+		}
386
 
397
 
387
 		// Receive the buffer
398
 		// Receive the buffer
388
-		if (pbuf_copy_partial(p, ctx->buf + ctx->rx_bytes_received, to_copy, 0) != to_copy) {
399
+		if (pbuf_copy_partial(p, ctx->buf + ctx->rx_bytes_received, p->tot_len, 0) != p->tot_len) {
389
 			DEBUG_printf("wrong copy len\n");
400
 			DEBUG_printf("wrong copy len\n");
390
 			return tcp_comm_client_complete(ctx, ERR_ARG);
401
 			return tcp_comm_client_complete(ctx, ERR_ARG);
391
 		}
402
 		}
392
 
403
 
393
-		ctx->rx_bytes_received += to_copy;
394
-		ctx->rx_bytes_remaining -= to_copy;
404
+		ctx->rx_bytes_received += p->tot_len;
405
+		ctx->rx_bytes_remaining -= p->tot_len;
395
 		tcp_recved(tpcb, p->tot_len);
406
 		tcp_recved(tpcb, p->tot_len);
396
 
407
 
397
 		if (ctx->rx_bytes_remaining == 0) {
408
 		if (ctx->rx_bytes_remaining == 0) {

Loading…
Cancel
Save