CVE-2023-35846: [ipfilter] Check transport layer length in frame before filtering ports · virtualsquare/picotcp@d561990

Expand Up @@ -461,18 +461,18 @@ int ipfilter(struct pico_frame *f) temp.fdev = f->dev; temp.out_addr = ipv4_hdr->dst.addr; temp.in_addr = ipv4_hdr->src.addr; if ((ipv4_hdr->proto == PICO_PROTO_TCP) || (ipv4_hdr->proto == PICO_PROTO_UDP)) { trans = (struct pico_trans *) f->transport_hdr; temp.out_port = short_be(trans->dport); temp.in_port = short_be(trans->sport); } else if(ipv4_hdr->proto == PICO_PROTO_ICMP4) { icmp_hdr = (struct pico_icmp4_hdr *) f->transport_hdr; if(icmp_hdr->type == PICO_ICMP_UNREACH && icmp_hdr->code == PICO_ICMP_UNREACH_FILTER_PROHIB) return 0; if ((f->transport_hdr + sizeof(struct pico_trans)) <= (f->buffer + f->buffer_len)) { if ((ipv4_hdr->proto == PICO_PROTO_TCP) || (ipv4_hdr->proto == PICO_PROTO_UDP)) { trans = (struct pico_trans *) f->transport_hdr; temp.out_port = short_be(trans->dport); temp.in_port = short_be(trans->sport); } else if(ipv4_hdr->proto == PICO_PROTO_ICMP4) { icmp_hdr = (struct pico_icmp4_hdr *) f->transport_hdr; if(icmp_hdr->type == PICO_ICMP_UNREACH && icmp_hdr->code == PICO_ICMP_UNREACH_FILTER_PROHIB) return 0; } temp.proto = ipv4_hdr->proto; }
temp.proto = ipv4_hdr->proto; temp.priority = f->priority; temp.tos = ipv4_hdr->tos; return ipfilter_apply_filter(f, &temp); Expand Down