FIX: Integer Overflow in pico icmp4

virtualsquare · Dec 7, 2024 · dcfce9d · dcfce9d
1 parent cd6ec86
commit dcfce9d
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/modules/pico_icmp4.c b/modules/pico_icmp4.c
@@ -380,6 +380,10 @@ static int8_t pico_icmp4_send_echo(struct pico_stack *S, struct pico_icmp4_ping_
     if (!dev)
         return -1;
 
+    // prevent overflow
+    if (cookie->size > PICO_ICMP_MAXCOOKIE)
+        return -1;
+
     echo = pico_proto_ipv4.alloc(S, &pico_proto_ipv4, dev, (uint16_t)(PICO_ICMPHDR_UN_SIZE + cookie->size));
     if (!echo)
         return -1;

diff --git a/modules/pico_icmp4.h b/modules/pico_icmp4.h
@@ -111,6 +111,7 @@ PACKED_STRUCT_DEF pico_icmp4_hdr {
 #define  PICO_ICMP_MASKREPLY    18
 
 #define  PICO_ICMP_MAXTYPE    18
+#define  PICO_ICMP_MAXCOOKIE    65528
 
 
 #define  PICO_ICMP_UNREACH_NET          0