Skip to content

Commit 7a836de

Browse files
danasanadanasana
committed
Add boundary checks to prevent out-of-bounds access in BgpLayer::getHeaderLen()
1 parent 07f33c0 commit 7a836de

File tree

2 files changed

+49
-0
lines changed

2 files changed

+49
-0
lines changed

Packet++/src/Layer.cpp

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,25 @@ namespace pcpp
7878
return true;
7979
}
8080

81+
if ((size_t)offsetInLayer > m_DataLen)
82+
{
83+
PCPP_LOG_ERROR("Requested offset is larger than data length");
84+
return false;
85+
}
86+
87+
if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer
88+
> (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen())
89+
{
90+
PCPP_LOG_ERROR("Requested offset is larger than total packet length");
91+
return false;
92+
}
93+
94+
if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer > m_NextLayer->m_Data - m_Data)
95+
{
96+
PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary");
97+
return false;
98+
}
99+
81100
return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend);
82101
}
83102

@@ -107,6 +126,32 @@ namespace pcpp
107126
return true;
108127
}
109128

129+
if ((size_t)offsetInLayer >= m_DataLen)
130+
{
131+
PCPP_LOG_ERROR("Requested offset is larger than data length");
132+
return false;
133+
}
134+
135+
if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen)
136+
{
137+
PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length");
138+
return false;
139+
}
140+
141+
if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten
142+
> (ptrdiff_t)(m_Packet->m_RawPacket->getRawDataLen()))
143+
{
144+
PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length");
145+
return false;
146+
}
147+
148+
if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten
149+
> m_NextLayer->m_Data - m_Data)
150+
{
151+
PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary");
152+
return false;
153+
}
154+
110155
return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten);
111156
}
112157

Packet++/src/Packet.cpp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -619,6 +619,8 @@ namespace pcpp
619619
// assuming header length of the layer that requested to be extended hasn't been enlarged yet
620620
size_t headerLen = curLayer->getHeaderLen() + (curLayer == layer ? numOfBytesToExtend : 0);
621621
dataPtr += headerLen;
622+
if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
623+
break;
622624
curLayer = curLayer->getNextLayer();
623625
}
624626

@@ -671,6 +673,8 @@ namespace pcpp
671673
// assuming header length of the layer that requested to be extended hasn't been enlarged yet
672674
size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0);
673675
dataPtr += headerLen;
676+
if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
677+
break;
674678
curLayer = curLayer->getNextLayer();
675679
}
676680

0 commit comments

Comments
 (0)