Commit 94d709f8 authored by Alessandro Rubini's avatar Alessandro Rubini Committed by Adam Wujek

udp: fix buffer overflow in udp checksum

This is my own fault introduced here:

   765443c7 udp: bugfix for checksum generation

It made no harm, because all send frames were oversized, but I'm now
using fixed-size buffers, and this overwrites the own IP address
thus corrupting the checksum and so on.

Pity me.
Signed-off-by: Alessandro Rubini's avatarAlessandro Rubini <rubini@gnudd.com>
parent 7167cb3f
......@@ -15,6 +15,7 @@ void fill_udp(uint8_t * buf, int len, struct wr_udp_addr *uaddr)
{
unsigned short sum;
struct wr_udp_addr addr;
uint8_t oddb;
/* if there is no user-provided uaddr, we are replying */
if (!uaddr) {
......@@ -40,9 +41,12 @@ void fill_udp(uint8_t * buf, int len, struct wr_udp_addr *uaddr)
buf[UDP_CHECKSUM] = 0;
buf[UDP_CHECKSUM + 1] = 0;
buf[len] = '\0'; /* pad, in case the payload is odd */
/* pad, in case the payload is odd, but we can avoid the if */
oddb = buf[len];
buf[len] = '\0';
sum = ipv4_checksum((unsigned short *)(buf + UDP_VIRT_SADDR),
(len + 1 - UDP_VIRT_SADDR) / 2);
buf[len] = oddb;
if (sum == 0)
sum = 0xFFFF;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment