Terminating immediately when overflow is found

seladb · Jan 9, 2025 · 6c67fb2 · 6c67fb2
1 parent e347d4d
commit 6c67fb2
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c
@@ -49,21 +49,28 @@ static struct _light_option *__parse_options(uint32_t **memory, const int32_t ma
       opt->custom_option_code = *local_memory++;
       opt->option_length = *local_memory++;
 
+      // PCPP patch
       // Validate option_length
       if (opt->option_length > max_len - 2 * sizeof(*local_memory)) {
           free(opt);
           return NULL;
       }
+      // PCPP patch end
 
       actual_length = (opt->option_length % alignment) == 0 ?
             opt->option_length :
             (opt->option_length / alignment + 1) * alignment;
 
-      if (actual_length > 0 && actual_length <= max_len - 2 * sizeof(*local_memory)) {
-         opt->data = calloc(1, actual_length);
-         memcpy(opt->data, local_memory, actual_length);
-         local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment);
+      // PCPP patch
+      // Validate option_length
+      if (actual_length <= 0 || actual_length > max_len - 2 * sizeof(*local_memory)) {
+          free(opt);
+          return NULL;
       }
+      opt->data = calloc(1, actual_length);
+      memcpy(opt->data, local_memory, actual_length);
+      local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment);
+      // PCPP patch end
 
       *memory = (uint32_t*)local_memory;
       remaining_size = max_len - actual_length - 2 * sizeof(*local_memory);