From 00f4cd5252c9f7a3513366a1ff3d0f72e79d1ca3 Mon Sep 17 00:00:00 2001
From: TheLastRar <TheLastRar@users.noreply.github.com>
Date: Tue, 3 Dec 2024 22:28:12 +0000
Subject: [PATCH] DEV9: Prevent out of bounds reads in ICMP fix

---
 .../Sessions/ICMP_Session/ICMP_Session.cpp    | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/pcsx2/DEV9/Sessions/ICMP_Session/ICMP_Session.cpp b/pcsx2/DEV9/Sessions/ICMP_Session/ICMP_Session.cpp
index cec51daa0b..5ba07fdf8e 100644
--- a/pcsx2/DEV9/Sessions/ICMP_Session/ICMP_Session.cpp
+++ b/pcsx2/DEV9/Sessions/ICMP_Session/ICMP_Session.cpp
@@ -785,11 +785,28 @@ namespace Sessions
 							Console.Error("DEV9: ICMP: Malformed ICMP Packet");
 							int off = 1;
 							while ((icmpPayload->data[off] & 0xF0) != (4 << 4))
+							{
 								off += 1;
 
+								// Require space for the IP Header and source/dest port of a UDP/TCP packet
+								// We don't generate packets with IP options, so IP header is always 20 bytes
+								if (icmpPayload->GetLength() - off - 24 < 0)
+								{
+									off = -1;
+									break;
+								}
+							}
+
+							if (off == -1)
+							{
+								Console.Error("DEV9: ICMP: Unable To Recover Data");
+								Console.Error("DEV9: ICMP: Failed To Reset Rejected Connection");
+								break;
+							}
+
 							Console.Error("DEV9: ICMP: Payload delayed %d bytes", off);
 
-							retPkt = std::make_unique<IP_Packet>(&icmpPayload->data[off], icmpPayload->GetLength(), true);
+							retPkt = std::make_unique<IP_Packet>(&icmpPayload->data[off], icmpPayload->GetLength() - off, true);
 						}
 
 						const IP_Address srvIP = retPkt->sourceIP;