diff options
| author | yangwei <[email protected]> | 2023-10-26 17:35:36 +0800 |
|---|---|---|
| committer | yangwei <[email protected]> | 2023-10-26 17:35:36 +0800 |
| commit | 0f73d90b61ededdc6509f73bdd58c80ebf789184 (patch) | |
| tree | c83e11b8cca363b65760544f0e853163a7e62d63 | |
| parent | d6e102166fed904b6d3adbdd7f77cb251614e9c3 (diff) | |
🐞 fix(inject packet): 注包接口增加长度判断,避免分片情况下内存读越界
| -rw-r--r-- | src/packet_io/sendpacket.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/src/packet_io/sendpacket.c b/src/packet_io/sendpacket.c index 5e4d004..27b5983 100644 --- a/src/packet_io/sendpacket.c +++ b/src/packet_io/sendpacket.c @@ -1304,12 +1304,11 @@ static int build_net_layer_tcp(struct streaminfo_private *stream_pr, int carry_l UINT32 tcp_seq; int tcp_data_len = a_tcp->datalen; bulid_layer_tcp_args_t *build_tcp_args; - -#if 0 /* 2015-12-30 lijia modify, IP�Ͷ˿ڴ洢��һ�� */ - raw_tcp_hdr = (struct mesa_tcp_hdr *)(stream_pr->offset_to_raw_pkt_hdr + (char *)raw_pkt->raw_pkt_data); -#else + if(raw_pkt->raw_pkt_len < (int)(stream_pr->offset_to_raw_pkt_hdr + stream_pr->offset_to_ip_hdr + sizeof(struct mesa_tcp_hdr))) + { + return -1; + } raw_tcp_hdr = (struct mesa_tcp_hdr *)(stream_pr->offset_to_raw_pkt_hdr + stream_pr->offset_to_ip_hdr + (char *)raw_pkt->raw_pkt_data); -#endif build_tcp_args = (bulid_layer_tcp_args_t *)g_build_pkt_args[stream_pr->stream_public.threadnum].layer_args[ADDR_TYPE_TCP]; @@ -2156,6 +2155,12 @@ static int build_net_layer_pkt(const struct streaminfo *top_stream, const struct stream = &stream_pr->stream_public; carry_layer_stream = stream; + if((stream->addr.pktipfragtype&PKT_TYPE_IP_FRAG_LAST)!=0 || (stream->addr.pktipfragtype&PKT_TYPE_IP_FRAG)!=0) + { + sapp_runtime_log(RLOG_LV_INFO, "build_net_layer_vlan() error, send streamdir:%d, fragment packet, type:%c!\n", send_stream_dir, stream->addr.pktipfragtype); + return -1; + } + if(is_proxy_stream(stream)){ /* �������ṹΪ����ṹ, ʵ�ʵİ������ڴ˲�, �����ʱ���������� */ return build_net_layer_pkt(top_stream, carry_layer_stream, (struct streaminfo_private *)stream->pfather, carry_layer_type, this_layer_len+carry_layer_len, buf, reverse, raw_pkt, send_stream_dir); @@ -2878,6 +2883,12 @@ int __sapp_inject_ctrl_pkt(struct streaminfo *stream, enum sapp_inject_opt sio, int raw_pkt_l4_hdr_len=0; if(stream->type==STREAM_TYPE_TCP) { + if(raw_pkt->raw_pkt_len < raw_pkt_l3_hdr_len + (int)sizeof(struct mesa_tcp_hdr)) + { + sapp_runtime_log(RLOG_LV_FATAL, "__sapp_inject_ctrl_pkt() error! raw_pkt_len:%d < raw_pkt_l3_hdr_len:%d+tcphdr_len:d\n", + raw_pkt->raw_pkt_len, raw_pkt_l3_hdr_len, (int)sizeof(struct mesa_tcp_hdr)); + return -1; + } struct mesa_tcp_hdr *tcph = (struct mesa_tcp_hdr *)((char *)raw_pkt->raw_pkt_data + raw_pkt_l3_hdr_len); raw_pkt_l4_hdr_len = tcph->th_off<<2; } @@ -2891,6 +2902,13 @@ int __sapp_inject_ctrl_pkt(struct streaminfo *stream, enum sapp_inject_opt sio, stream->type); return -1; } + + if(raw_pkt_l3_hdr_len + raw_pkt_l4_hdr_len > raw_pkt->raw_pkt_len) + { + sapp_runtime_log(RLOG_LV_INFO, "__sapp_inject_ctrl_pkt() error! l3_hdr_len:%d + l4_hdr_len:%d > raw_pkt_len:%d.\n", + raw_pkt_l3_hdr_len, raw_pkt_l3_hdr_len, raw_pkt->raw_pkt_len); + return -1; + } if (payload_len + raw_pkt_l3_hdr_len + raw_pkt_l4_hdr_len > MTU_MAX) { sapp_runtime_log(RLOG_LV_INFO, "__sapp_inject_ctrl_pkt() error! payload_len too long:%d.\n", |