From 75a7239e5ba16e0cf506a8d41ca747bd964f4937 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 1 Sep 2021 16:38:49 +0200 Subject: tap: Make sure we don't receive frames bigger than ETH_MAX_MTU from qemu And while at it, remove some attributes that are not needed anymore after introducing command line options. Signed-off-by: Stefano Brivio --- tap.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tap.c b/tap.c index bc40b5d..48b8a2a 100644 --- a/tap.c +++ b/tap.c @@ -322,8 +322,7 @@ static int tap4_handler(struct ctx *c, struct tap_msg *msg, size_t count, static int tap6_handler(struct ctx *c, struct tap_msg *msg, size_t count, struct timespec *now, int first) { - char buf_s[INET6_ADDRSTRLEN] __attribute((__unused__)); - char buf_d[INET6_ADDRSTRLEN] __attribute((__unused__)); + char buf_s[INET6_ADDRSTRLEN], buf_d[INET6_ADDRSTRLEN]; struct ethhdr *eh = (struct ethhdr *)msg[0].start; struct udphdr *uh, *prev_uh = NULL; uint8_t proto = 0, prev_proto = 0; @@ -462,12 +461,12 @@ static int tap_handler_passt(struct ctx *c, struct timespec *now) while (n > (ssize_t)sizeof(uint32_t)) { ssize_t len = ntohl(*(uint32_t *)p); + if (len < (ssize_t)sizeof(*eh) || len > ETH_MAX_MTU) + return 0; + p += sizeof(uint32_t); n -= sizeof(uint32_t); - if (len < (ssize_t)sizeof(*eh)) - return 0; - /* At most one packet might not fit in a single read */ if (len > n) { rem = recv(c->fd_tap, p + n, len - n, MSG_DONTWAIT); -- cgit v1.2.3