diff --git a/apps/slip-cmd/packetutils.c b/apps/slip-cmd/packetutils.c index e8c7fd9aa..46ca3ad5f 100644 --- a/apps/slip-cmd/packetutils.c +++ b/apps/slip-cmd/packetutils.c @@ -70,7 +70,16 @@ packetutils_deserialize_atts(const uint8_t *data, int size) pos = 0; cnt = data[pos++]; PRINTF("packetutils: deserializing %d packet atts:", cnt); + if(cnt > PACKETBUF_NUM_ATTRS) { + PRINTF(" *** too many: %u!\n", PACKETBUF_NUM_ATTRS); + return -1; + } for(i = 0; i < cnt; i++) { + if(data[pos] >= PACKETBUF_NUM_ATTRS) { + /* illegal attribute identifier */ + PRINTF(" *** unknown attribute %u\n", data[pos]); + return -1; + } PRINTF(" %d=%d", data[pos], (data[pos + 1] << 8) | data[pos + 2]); packetbuf_set_attr(data[pos], (data[pos + 1] << 8) | data[pos + 2]); pos += 3; diff --git a/examples/ipv6/slip-radio/slip-radio.c b/examples/ipv6/slip-radio/slip-radio.c index c034d8964..d04b4b1e6 100644 --- a/examples/ipv6/slip-radio/slip-radio.c +++ b/examples/ipv6/slip-radio/slip-radio.c @@ -99,9 +99,12 @@ slip_radio_cmd_handler(const uint8_t *data, int len) packet_ids[packet_pos] = data[2]; packetbuf_clear(); - pos = 3; - pos += packetutils_deserialize_atts(&data[pos], len - pos); - + pos = packetutils_deserialize_atts(&data[3], len - 3); + if(pos < 0) { + PRINTF("slip-radio: illegal packet attributes\n"); + return 1; + } + pos += 3; len -= pos; if(len > PACKETBUF_SIZE) { len = PACKETBUF_SIZE; @@ -109,11 +112,12 @@ slip_radio_cmd_handler(const uint8_t *data, int len) memcpy(packetbuf_dataptr(), &data[pos], len); packetbuf_set_datalen(len); - PRINTF("slip-radio: sending: %d\n", packetbuf_datalen()); + PRINTF("slip-radio: sending %u (%d bytes)\n", + data[2], packetbuf_datalen()); /* parse frame before sending to get addresses, etc. */ no_framer.parse(); - NETSTACK_MAC.send(&packet_sent, &packet_ids[packet_pos]); + NETSTACK_MAC.send(packet_sent, &packet_ids[packet_pos]); packet_pos++; if(packet_pos >= sizeof(packet_ids)) {