This is WIZnet Ethernet Interface using Hardware TCP/IP chip, W5500, W5200 and W5100. One of them can be selected by enabling it in wiznet.h.

Dependents:   Embedded_web EmailButton EmailButton HTTPClient_Weather ... more

Issue: UDPSocket::receiveFrom --- no length check for receive buffer

I found an issue where there is no check on the udp_size to that of the target buffer. The variable length is passed to this function but not used (describes the length of the incoming buffer). I ran into some cases where the size based back from the eth->recv function was greater than the buffer causing overruns.

To treat this issue, I just return -1. This may not be the correct behavior for this function.

file: UDPSocket.cpp

// -1 if unsuccessful, else number of bytes received
int UDPSocket::receiveFrom(Endpoint &remote, char *buffer, int length)
{
    uint8_t info[8];
    int size = eth->wait_readable(_sock_fd, _blocking ? -1 : _timeout, sizeof(info));
    if (size < 0) {
        return -1;
    }
    eth->recv(_sock_fd, (char*)info, sizeof(info));
    readEndpoint(remote, info);
    int udp_size = info[6]<<8|info[7]; 
    //TEST_ASSERT(udp_size <= (size-sizeof(info)));
    if (udp_size > (size-sizeof(info))) {
        return -1;
    }
    /* Perform Length check here to prevent buffer overrun */
    if (udp_size > length)
    {
       //printf("udp_size: %d\n",udp_size);
       return -1;
    }    
    return eth->recv(_sock_fd, buffer, udp_size);
}

1 comment:

23 Sep 2014

you're right. To overcome, if it happens, I think driver return error code and left its udp data on receive buffer in WIZnet chip for next operation. I'll consider about that and let you know the changes. Very Thanks, Sean.