From 67e0575bd38b3d332797d75d7ce3d3ae5e81fb27 Mon Sep 17 00:00:00 2001 From: cedric-d Date: Sun, 24 Apr 2016 12:06:09 +0200 Subject: [PATCH] Prevent uIP buffer over-read with big UDP packets When an UDP packet too big to fit in the uIP packet buffer is to be sent, the part fitting in the uIP buffer is copied to it (so no buffer overflow occurs) but uIP actually sends a packet of the original size therefore a buffer over-read occurs. This modification makes uIP discard the UDP packets that do not fit in the uIP packet buffer. --- core/net/ip/uip-udp-packet.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/core/net/ip/uip-udp-packet.c b/core/net/ip/uip-udp-packet.c index 923661709..b40d7cc9f 100644 --- a/core/net/ip/uip-udp-packet.c +++ b/core/net/ip/uip-udp-packet.c @@ -51,12 +51,10 @@ void uip_udp_packet_send(struct uip_udp_conn *c, const void *data, int len) { #if UIP_UDP - if(data != NULL) { + if(data != NULL && len <= (UIP_BUFSIZE - (UIP_LLH_LEN + UIP_IPUDPH_LEN))) { uip_udp_conn = c; uip_slen = len; - memmove(&uip_buf[UIP_LLH_LEN + UIP_IPUDPH_LEN], data, - len > UIP_BUFSIZE - UIP_LLH_LEN - UIP_IPUDPH_LEN? - UIP_BUFSIZE - UIP_LLH_LEN - UIP_IPUDPH_LEN: len); + memmove(&uip_buf[UIP_LLH_LEN + UIP_IPUDPH_LEN], data, len); uip_process(UIP_UDP_SEND_CONN); #if UIP_CONF_IPV6_MULTICAST