From 8978f6552b8cfae28b9d842db99b01aefb465812 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Sat, 24 Sep 2022 19:08:23 +1000 Subject: icmp: Correct off by one errors dealing with number of echo request ids ICMP echo request and reply packets include a 16-bit 'id' value. We have some arrays indexed by this id value. Unfortunately we size those arrays with USHRT_MAX (65535) when they need to be sized by the total number of id values (65536). This could lead to buffer overruns. Resize the arrays correctly, using a new define for the purpose. Signed-off-by: David Gibson --- icmp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/icmp.c b/icmp.c index 2da8b58..39a8694 100644 --- a/icmp.c +++ b/icmp.c @@ -39,6 +39,7 @@ #include "icmp.h" #define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */ +#define ICMP_NUM_IDS (1U << 16) /** * struct icmp_id_sock - Tracking information for single ICMP echo identifier @@ -53,10 +54,10 @@ struct icmp_id_sock { }; /* Indexed by ICMP echo identifier */ -static struct icmp_id_sock icmp_id_map [IP_VERSIONS][USHRT_MAX]; +static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS]; /* Bitmaps, activity monitoring needed for identifier */ -static uint8_t icmp_act [IP_VERSIONS][USHRT_MAX / 8]; +static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)]; /** * icmp_sock_handler() - Handle new data from socket -- cgit v1.2.3