ICMP echo request and reply packets include a 16-bit 'id' value. We have
some arrays indexed by this id value. Unfortunately we size those arrays
with USHRT_MAX (65535) when they need to be sized by the total number of
id values (65536). This could lead to buffer overruns. Resize the arrays
correctly, using a new define for the purpose.
Signed-off-by: David Gibson
---
icmp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/icmp.c b/icmp.c
index 2da8b58..39a8694 100644
--- a/icmp.c
+++ b/icmp.c
@@ -39,6 +39,7 @@
#include "icmp.h"
#define ICMP_ECHO_TIMEOUT 60 /* s, timeout for ICMP socket activity */
+#define ICMP_NUM_IDS (1U << 16)
/**
* struct icmp_id_sock - Tracking information for single ICMP echo identifier
@@ -53,10 +54,10 @@ struct icmp_id_sock {
};
/* Indexed by ICMP echo identifier */
-static struct icmp_id_sock icmp_id_map [IP_VERSIONS][USHRT_MAX];
+static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS];
/* Bitmaps, activity monitoring needed for identifier */
-static uint8_t icmp_act [IP_VERSIONS][USHRT_MAX / 8];
+static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)];
/**
* icmp_sock_handler() - Handle new data from socket
--
2.37.3