Fix insufficient length validation in UDP packets.

whitequark · whitequark · commit 2989fa334885 · 2017-06-24T12:15:18.000Z
Found via cargo-fuzz.
diff --git a/src/wire/udp.rs b/src/wire/udp.rs
@@ -44,17 +44,22 @@ impl<T: AsRef<[u8]>> Packet<T> {
 
     /// Ensure that no accessor method will panic if called.
     /// Returns `Err(Error::Truncated)` if the buffer is too short.
+    /// Returns `Err(Error::Malformed)` if the length field has a value smaller
+    /// than the header length.
     ///
-    /// The result of this check is invalidated by calling [set_header_len].
+    /// The result of this check is invalidated by calling [set_len].
     ///
-    /// [set_header_len]: #method.set_header_len
+    /// [set_len]: #method.set_len
     pub fn check_len(&self) -> Result<(), Error> {
-        let len = self.buffer.as_ref().len();
-        if len < field::CHECKSUM.end {
+        let buffer_len = self.buffer.as_ref().len();
+        if buffer_len < field::CHECKSUM.end {
             Err(Error::Truncated)
         } else {
-            if len < self.len() as usize {
+            let field_len = self.len() as usize;
+            if buffer_len < field_len {
                 Err(Error::Truncated)
+            } else if field_len < field::CHECKSUM.end {
+                Err(Error::Malformed)
             } else {
                 Ok(())
             }
@@ -299,6 +304,14 @@ mod test {
         assert_eq!(&packet.into_inner()[..], &PACKET_BYTES[..]);
     }
 
+    #[test]
+    fn test_impossible_len() {
+        let mut bytes = vec![0; 12];
+        let mut packet = Packet::new(&mut bytes);
+        packet.set_len(4);
+        assert_eq!(packet.check_len(), Err(Error::Malformed));
+    }
+
     fn packet_repr() -> Repr<'static> {
         Repr {
             src_port: 48896,
