Skip to content

Commit

Permalink
DEV9: Prevent out of bounds reads in ICMP fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@TheLastRar @F0bes
TheLastRar authored and F0bes committed Dec 5, 2024
1 parent 0a44e20 commit 00f4cd5
Showing 1 changed file with 18 additions and 1 deletion.
19 changes: 18 additions & 1 deletion pcsx2/DEV9/Sessions/ICMP_Session/ICMP_Session.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -785,11 +785,28 @@ namespace Sessions
Console.Error("DEV9: ICMP: Malformed ICMP Packet");
int off = 1;
while ((icmpPayload->data[off] & 0xF0) != (4 << 4))
{
off += 1;

// Require space for the IP Header and source/dest port of a UDP/TCP packet
// We don't generate packets with IP options, so IP header is always 20 bytes
if (icmpPayload->GetLength() - off - 24 < 0)
{
off = -1;
break;
}
}

if (off == -1)
{
Console.Error("DEV9: ICMP: Unable To Recover Data");
Console.Error("DEV9: ICMP: Failed To Reset Rejected Connection");
break;
}

Console.Error("DEV9: ICMP: Payload delayed %d bytes", off);

retPkt = std::make_unique<IP_Packet>(&icmpPayload->data[off], icmpPayload->GetLength(), true);
retPkt = std::make_unique<IP_Packet>(&icmpPayload->data[off], icmpPayload->GetLength() - off, true);
}

const IP_Address srvIP = retPkt->sourceIP;
Expand Down

0 comments on commit 00f4cd5

Please sign in to comment.