Fix out-of-bounds access in Nping EchoClient

nping/EchoClient.cc

@@ -593,15 +593,19 @@ int EchoClient::parse_echo(u8 *pkt, size_t pktlen){
   //    return OP_FAILURE;
   //}
 
-//  /* Ensure message length is correct */
-//  if( h.getTotalLength()!=(pktlen/4)){
-//    nping_print(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 );
-//    return OP_FAILURE;
-//  }
+  nping_print(DBG_1, "Received NEP_ECHO pktlen %lu, getTotalLength %u", pktlen, h.getTotalLength()*4 );
+  /* Ensure message length is correct */
+  if( h.getTotalLength()!=(pktlen/4)){
+    nping_print(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 );
+    return OP_FAILURE;
+  }
 
   /* Fix the object's internal state, since the ECHO message was not created
    * by the object but from received data. */
-  h.updateEchoInternals();
+  if (h.updateEchoInternals() != OP_SUCCESS) {
+    nping_print(DBG_1, "NEP_ECHO length check failed");
+    return OP_FAILURE;
+  }
 
   /* Check the authenticity of the received message */
   if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){

nping/EchoHeader.cc

@@ -773,7 +773,7 @@ int EchoHeader::setPacketLength(u16 len){
 
 u16 EchoHeader::getPacketLength(){
     return ntohs(this->data_echo->packet_len);
-} /* End of setPacketLength() */
+} /* End of getPacketLength() */
 
 
 int EchoHeader::setEchoedPacket(const u8 *pkt, size_t pktlen){
@@ -824,6 +824,11 @@ int EchoHeader::updateEchoInternals(){
   if( this->getMessageType()!=TYPE_NEP_ECHO )
     return OP_FAILURE;
 
+  int totallen = this->getTotalLength() * 4;
+  int packetlen = this->getPacketLength();
+  if ((totallen - STD_NEP_HEADER_LEN - ECHOED_PKT_HEADER_LEN - MAC_LENGTH) < packetlen) {
+    return OP_FAILURE;
+  }
   /* Fix echo bytes length */
   this->echo_bytes=this->getPacketLength();
   if((this->echo_bytes+4)%16!=0){