From 8978f6552b8cfae28b9d842db99b01aefb465812 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Sat, 24 Sep 2022 19:08:23 +1000
Subject: icmp: Correct off by one errors dealing with number of echo request
 ids

ICMP echo request and reply packets include a 16-bit 'id' value.  We have
some arrays indexed by this id value.  Unfortunately we size those arrays
with USHRT_MAX (65535) when they need to be sized by the total number of
id values (65536).  This could lead to buffer overruns.  Resize the arrays
correctly, using a new define for the purpose.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 icmp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'icmp.c')

diff --git a/icmp.c b/icmp.c
index 2da8b58..39a8694 100644
--- a/icmp.c
+++ b/icmp.c
@@ -39,6 +39,7 @@
 #include "icmp.h"
 
 #define ICMP_ECHO_TIMEOUT	60 /* s, timeout for ICMP socket activity */
+#define ICMP_NUM_IDS		(1U << 16)
 
 /**
  * struct icmp_id_sock - Tracking information for single ICMP echo identifier
@@ -53,10 +54,10 @@ struct icmp_id_sock {
 };
 
 /* Indexed by ICMP echo identifier */
-static struct icmp_id_sock icmp_id_map	[IP_VERSIONS][USHRT_MAX];
+static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS];
 
 /* Bitmaps, activity monitoring needed for identifier */
-static uint8_t icmp_act			[IP_VERSIONS][USHRT_MAX / 8];
+static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)];
 
 /**
  * icmp_sock_handler() - Handle new data from socket
-- 
cgit v1.2.3