From 2f00d54d33cf1f277600295e5aa5d60d343fdf68 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:30:16 +0100 Subject: [PATCH 1/7] validate minimum packet length (ethernet header+ ip header, with no options) --- src/wolfip.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/wolfip.c b/src/wolfip.c index c08ed1b..3512ee7 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -3362,6 +3362,10 @@ size_t wolfIP_instance_size(void) static inline void ip_recv(struct wolfIP *s, unsigned int if_idx, struct wolfIP_ip_packet *ip, uint32_t len) { + /* validate minimum packet length + * (ethernet header+ ip header, with no options) */ + if (len < sizeof(struct wolfIP_ip_packet)) + return; #if WOLFIP_ENABLE_FORWARDING unsigned int i; #endif From 6db47542c0e6f88095c06d2d85bc9f1dc300ac70 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:33:12 +0100 Subject: [PATCH 2/7] validate minimum ARP packet length --- src/wolfip.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/wolfip.c b/src/wolfip.c index 3512ee7..5e9dc7e 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -3255,6 +3255,11 @@ static void arp_recv(struct wolfIP *s, unsigned int if_idx, void *buf, int len) struct wolfIP_ll_dev *ll = wolfIP_ll_at(s, if_idx); struct ipconf *conf; + + /* validate minimum ARP packet length */ + if (len < (int)sizeof(struct arp_packet)) + return; + if (!ll) return; conf = wolfIP_ipconf_at(s, if_idx); From 507b6966bf2282613b9e0fec4f6f02a9e986ed1c Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:39:21 +0100 Subject: [PATCH 3/7] validate minimum ICMP packet length --- src/wolfip.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/wolfip.c b/src/wolfip.c index 5e9dc7e..97b8ce1 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -2783,6 +2783,12 @@ static void icmp_input(struct wolfIP *s, unsigned int if_idx, struct wolfIP_ip_p struct wolfIP_icmp_packet *icmp = (struct wolfIP_icmp_packet *)ip; uint32_t tmp; struct wolfIP_ll_dev *ll = wolfIP_ll_at(s, if_idx); + + /* validate minimum ICMP packet length */ + if (len < sizeof(struct wolfIP_icmp_packet)) + return; + + if (wolfIP_filter_notify_icmp(WOLFIP_FILT_RECEIVING, s, if_idx, icmp, len) != 0) return; if (icmp->type == ICMP_ECHO_REPLY) { From e98b7307a4131e7e7211b63eb9df5bb2c1c87141 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:41:59 +0100 Subject: [PATCH 4/7] validate minimum TCP segment length --- src/wolfip.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/wolfip.c b/src/wolfip.c index 97b8ce1..9edfc42 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -1739,6 +1739,11 @@ static void tcp_ack(struct tsocket *t, const struct wolfIP_tcp_seg *tcp) static void tcp_input(struct wolfIP *S, unsigned int if_idx, struct wolfIP_tcp_seg *tcp, uint32_t frame_len) { int i; + + /* validate minimum TCP segment length */ + if (frame_len < sizeof(struct wolfIP_tcp_seg)) + return; + if (wolfIP_filter_notify_tcp(WOLFIP_FILT_RECEIVING, S, if_idx, tcp, frame_len) != 0) return; for (i = 0; i < MAX_TCPSOCKETS; i++) { From 7d66090f54620cef2698073986221bbdd4d43ecd Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:45:56 +0100 Subject: [PATCH 5/7] validate minimum UDP datagram length --- src/wolfip.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/wolfip.c b/src/wolfip.c index 9edfc42..384079d 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -1230,8 +1230,16 @@ static void udp_try_recv(struct wolfIP *s, unsigned int if_idx, struct wolfIP_ud { struct ipconf *conf = wolfIP_ipconf_at(s, if_idx); int i; - ip4 local_ip = conf ? conf->ip : IPADDR_ANY; - ip4 dst_ip = ee32(udp->ip.dst); + ip4 local_ip; + ip4 dst_ip; + + /* validate minimum UDP datagram length */ + if (frame_len < sizeof(struct wolfIP_udp_datagram)) + return; + + local_ip = conf ? conf->ip : IPADDR_ANY; + dst_ip = ee32(udp->ip.dst); + if (wolfIP_filter_notify_udp(WOLFIP_FILT_RECEIVING, s, if_idx, udp, frame_len) != 0) return; for (i = 0; i < MAX_UDPSOCKETS; i++) { From 3ac8ea7d0c5c0745690efa148db08c825605e8f4 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 10:54:57 +0100 Subject: [PATCH 6/7] memchr instead of strchr to respect length of the url --- src/http/httpd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http/httpd.c b/src/http/httpd.c index cd3ca63..429a6d8 100644 --- a/src/http/httpd.c +++ b/src/http/httpd.c @@ -265,7 +265,7 @@ int http_url_encode(char *buf, size_t len, size_t max_len) { char *p = buf; char *q = NULL; while (p < buf + len) { - q = strchr(p, ' '); + q = memchr(p, ' ', len - (size_t)(p - buf)); if (!q) { break; } From d1162bb58d0b4efb975e9330a35adf928aa42261 Mon Sep 17 00:00:00 2001 From: Reda Chouk Date: Wed, 4 Feb 2026 11:04:49 +0100 Subject: [PATCH 7/7] fix mixed declaration --- src/wolfip.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wolfip.c b/src/wolfip.c index 384079d..647a8e7 100644 --- a/src/wolfip.c +++ b/src/wolfip.c @@ -3386,13 +3386,13 @@ size_t wolfIP_instance_size(void) static inline void ip_recv(struct wolfIP *s, unsigned int if_idx, struct wolfIP_ip_packet *ip, uint32_t len) { +#if WOLFIP_ENABLE_FORWARDING + unsigned int i; +#endif /* validate minimum packet length * (ethernet header+ ip header, with no options) */ if (len < sizeof(struct wolfIP_ip_packet)) return; -#if WOLFIP_ENABLE_FORWARDING - unsigned int i; -#endif #if WOLFIP_ENABLE_LOOPBACK if (!wolfIP_is_loopback_if(if_idx)) { ip4 dest = ee32(ip->dst);