From 44a94dd91e9bb7533a2eb8941c44656e3bca110b Mon Sep 17 00:00:00 2001 From: Martine Lenders Date: Wed, 9 Dec 2020 17:26:38 +0100 Subject: [PATCH] uhcp: check maximum for prefix length --- sys/net/application_layer/uhcp/uhcp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/net/application_layer/uhcp/uhcp.c b/sys/net/application_layer/uhcp/uhcp.c index 1a8d239bd7..b9dff80a77 100644 --- a/sys/net/application_layer/uhcp/uhcp.c +++ b/sys/net/application_layer/uhcp/uhcp.c @@ -98,8 +98,9 @@ void uhcp_handle_push(uhcp_push_t *req, uint8_t *src, uint16_t port, uhcp_iface_ char prefix_str[INET6_ADDRSTRLEN]; inet_ntop(AF_INET6, src, addr_str, INET6_ADDRSTRLEN); uint8_t prefix[IN6ADDRSZ] = { 0 }; - if (req->prefix_len == 0) { - LOG_ERROR("uhcp_handle_push(): prefix length 0\n"); + /* prefix_len can't be 0 or greater then IN6ADDRSZ * 8 (== 128) */ + if ((req->prefix_len == 0) || (req->prefix_len > (IN6ADDRSZ << 3))) { + LOG_ERROR("uhcp_handle_push(): invalid prefix length\n"); return; } size_t prefix_bytes = (req->prefix_len + 7)>>3;