From 4e33112d3e5d61d1f518fb82cb07444ac0c23ed6 Mon Sep 17 00:00:00 2001 From: adamdunkels Date: Wed, 31 Mar 2010 12:17:24 +0000 Subject: [PATCH] Guard against malformed broadcast announcements --- core/net/rime/broadcast-announcement.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/core/net/rime/broadcast-announcement.c b/core/net/rime/broadcast-announcement.c index 5d4f14fdb..2d0aa03cf 100644 --- a/core/net/rime/broadcast-announcement.c +++ b/core/net/rime/broadcast-announcement.c @@ -33,7 +33,7 @@ * * This file is part of the Contiki operating system. * - * $Id: broadcast-announcement.c,v 1.3 2010/03/25 08:49:56 adamdunkels Exp $ + * $Id: broadcast-announcement.c,v 1.4 2010/03/31 12:17:24 adamdunkels Exp $ */ /** @@ -137,6 +137,13 @@ adv_packet_received(struct broadcast_conn *ibc, const rimeaddr_t *from) rimeaddr_node_addr.u8[0], rimeaddr_node_addr.u8[1], from->u8[0], from->u8[1], adata.num); + if(adata.num / sizeof(struct announcement_data) > sizeof(struct announcement_msg)) { + /* The number of announcements is too large - corrupt packet has + been received. */ + printf("adata.num way out there: %d\n", adata.num); + return; + } + for(i = 0; i < adata.num; ++i) { struct announcement_data data;