From a88a11c243e2325c8a87177f21651120d39e6160 Mon Sep 17 00:00:00 2001 From: cpq Date: Thu, 29 Sep 2022 11:13:27 +0100 Subject: [PATCH] Fix TX overflow in rx_icmp() --- mip/mip.c | 9 +++++---- mongoose.c | 7 ++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/mip/mip.c b/mip/mip.c index 77487da1..c2b464f7 100644 --- a/mip/mip.c +++ b/mip/mip.c @@ -449,11 +449,12 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) { struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src, sizeof(struct icmp) + pkt->pay.len); struct icmp *icmp = (struct icmp *) (ip + 1); - memset(icmp, 0, sizeof(*icmp)); // Important - set csum to 0 - memcpy(icmp + 1, pkt->pay.buf, pkt->pay.len); + size_t len = PDIFF(ifp->tx.buf, icmp + 1), left = ifp->tx.len - len; + if (left > pkt->pay.len) left = pkt->pay.len; // Don't overflow TX + memset(icmp, 0, sizeof(*icmp)); // Set csum to 0 + memcpy(icmp + 1, pkt->pay.buf, left); // Copy RX payload to TX icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len); - ifp->driver->tx(ifp->tx.buf, PDIFF(ifp->tx.buf, icmp + 1) + pkt->pay.len, - ifp->driver_data); + ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data); } } diff --git a/mongoose.c b/mongoose.c index 97d5c17e..fdd2f866 100644 --- a/mongoose.c +++ b/mongoose.c @@ -6714,11 +6714,12 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) { struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src, sizeof(struct icmp) + pkt->pay.len); struct icmp *icmp = (struct icmp *) (ip + 1); + size_t len = PDIFF(ifp->tx.buf, icmp + 1), left = ifp->tx.len - len; + if (left > pkt->pay.len) left = pkt->pay.len; memset(icmp, 0, sizeof(*icmp)); // Important - set csum to 0 - memcpy(icmp + 1, pkt->pay.buf, pkt->pay.len); + memcpy(icmp + 1, pkt->pay.buf, left); icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len); - ifp->driver->tx(ifp->tx.buf, PDIFF(ifp->tx.buf, icmp + 1) + pkt->pay.len, - ifp->driver_data); + ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data); } }