Merge cherrypicks of [3297237, 3297257, 3297258, 3297277, 3297278, 3297279, 3297280, 3297297, 3297298, 3297299, 3297300, 3297301, 3297302, 3297303, 3297304, 3297305, 3297306, 3297238, 3297281, 3297259, 3297260, 3297261, 3297262, 3297263, 3297264, 3297337, 3297338, 3297339, 3297357, 3297358, 3297359, 3297360, 3297282, 3297265, 3297283, 3297284] into nyc-bugfix-release
Change-Id: Ic3ce547e2742a99f5982f3d9b0c08ce9196d6ba3
diff --git a/libnetutils/packet.c b/libnetutils/packet.c
index cd26d05..bfc5f4d 100644
--- a/libnetutils/packet.c
+++ b/libnetutils/packet.c
@@ -219,6 +219,20 @@
* to construct the pseudo header used in the checksum calculation.
*/
dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
+ /*
+ * check validity of dhcp_size.
+ * 1) cannot be negative or zero.
+ * 2) src buffer contains enough bytes to copy
+ * 3) cannot exceed destination buffer
+ */
+ if ((dhcp_size <= 0) ||
+ ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
+ ((int)sizeof(struct dhcp_msg) < dhcp_size)) {
+#if VERBOSE
+ ALOGD("Malformed Packet");
+#endif
+ return -1;
+ }
saddr = packet.ip.saddr;
daddr = packet.ip.daddr;
nread = ntohs(packet.ip.tot_len);
