aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Desmouceaux <ydesmouc@cisco.com>2016-04-11 10:38:23 +0200
committerGerrit Code Review <gerrit@fd.io>2016-04-11 14:49:56 +0000
commitf53b7d5e97665b6598adc376f214ed88bf2b33d4 (patch)
tree6481b38236976132b7e2736a97217966c2214030
parent5ac4a0f76a4f871e6e330e038d297d2d1c4c4f38 (diff)
Fix possible infinite loop in IPv6 hop-by-hop header parsing
Unknown hop-by-hop options are currently not processed, which triggers an infinite loop due to the pointer not advancing further in the header. Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8 Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
-rw-r--r--vnet/vnet/ip/ip6_hop_by_hop.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/vnet/vnet/ip/ip6_hop_by_hop.c b/vnet/vnet/ip/ip6_hop_by_hop.c
index 74f79506007..bd96c9b0a28 100644
--- a/vnet/vnet/ip/ip6_hop_by_hop.c
+++ b/vnet/vnet/ip/ip6_hop_by_hop.c
@@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm,
case 0: /* Pad */
opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1;
goto out0;
+
+ default:
+ opt0 = (ip6_hop_by_hop_option_t *)
+ (((u8 *)opt0) + opt0->length
+ + sizeof (ip6_hop_by_hop_option_t));
+ break;
}
}