alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

backport bugfix lwip for v3.1

Browse Source
This commit is contained in:
xueyunfei 2020-09-17 20:57:08 +08:00
parent a5be5acf2f
commit c3457fda21
2 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
components/lwip/core/ipv4/dhcp.c
View File

@ -1590,8 +1590,8 @@ dhcp_parse_reply(struct dhcp *dhcp, struct pbuf *p)
again:
q = p;
while ((q != NULL) && (options_idx >= q->len)) {
options_idx -= q->len;
options_idx_max -= q->len;
options_idx = (u16_t)(options_idx - q->len);
options_idx_max = (u16_t)(options_idx_max - q->len);
q = q->next;
}
if (q == NULL) {
@ -1606,7 +1606,11 @@ again:
u8_t len;
u8_t decode_len = 0;
int decode_idx = -1;
u16_t val_offset = offset + 2;
u16_t val_offset = (u16_t)(offset + 2);
if (val_offset < offset) {
/* overflow */
return ERR_BUF;
}
/* len byte might be in the next pbuf */
if (offset + 1 < q->len) {
len = options[offset + 1];
@ -1679,7 +1683,11 @@ again:
LWIP_DEBUGF(DHCP_DEBUG, ("skipping option %"U16_F" in options\n", op));
break;
}
offset += len + 2;
if ((u32_t)(offset + len + 2) > 0xFFFF) {
/* overflow */
return ERR_BUF;
}
offset = (u16_t)(offset + len + 2);
if (decode_len > 0) {
u32_t value = 0;
u16_t copy_len;
@ -1690,11 +1698,17 @@ decode_next:
pbuf_copy_partial(q, &value, copy_len, val_offset);
if (decode_len > 4) {
/* decode more than one u32_t */
u16_t next_val_offset;
//LWIP_ERROR("decode_len % 4 == 0", decode_len % 4 == 0, return ERR_VAL;);
dhcp_got_option(dhcp, decode_idx);
dhcp_set_option_value(dhcp, decode_idx, htonl(value));
decode_len -= 4;
val_offset += 4;
decode_len = (u8_t)(decode_len - 4);
next_val_offset = (u16_t)(val_offset + 4);
if (next_val_offset < val_offset) {
/* overflow */
return ERR_BUF;
}
val_offset = next_val_offset;
decode_idx++;
goto decode_next;
} else if (decode_len == 4) {
@ -1708,8 +1722,8 @@ decode_next:
}
}
if (offset >= q->len) {
offset -= q->len;
offset_max -= q->len;
offset = (u16_t)(offset - q->len);
offset_max = (u16_t)(offset_max - q->len);
if ((offset < offset_max) && offset_max) {
q = q->next;
LWIP_ASSERT("next pbuf was null", q);

6
components/lwip/core/ipv6/ip6.c
View File

@ -571,7 +571,7 @@ netif_found:
ip_data.current_ip_header_tot_len += hlen;
/* Skip over this header. */
if (hlen > p->len) {
if (p->len < 8 || hlen > p->len) {
LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
hlen, p->len));
@ -594,7 +594,7 @@ netif_found:
ip_data.current_ip_header_tot_len += hlen;
/* Skip over this header. */
if (hlen > p->len) {
if (p->len < 8 || hlen > p->len) {
LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
hlen, p->len));
@ -617,7 +617,7 @@ netif_found:
ip_data.current_ip_header_tot_len += hlen;
/* Skip over this header. */
if (hlen > p->len) {
if (p->len < 8 || hlen > p->len) {
LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
hlen, p->len));