diff options
| author |   Yoann Desmouceaux <ydesmouc@cisco.com> | 2016-06-29 18:30:29 +0200 |
|---|---|---|
| committer |   Dave Barach <openvpp@barachs.net> | 2016-07-08 14:17:19 +0000 |
| commit | 0557a91ca727cee963a8179808d2d2108564ec56 (patch) | |
| tree | 325e06f1a05082ff23f6b15548babff2ac796767 | |
| parent | 4d5cabde54f847bccd365c64682e428aead30550 (diff) | |
IPv6 frag: avoid overflow while parsing extension headers
A malicious packet could advertise an extension header length bigger than
the actual packet length, which would cause an overflow.
Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
| -rw-r--r-- | vnet/vnet/ip/ip_frag.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c index 5437c265..38befc2b 100644 --- a/vnet/vnet/ip/ip_frag.c +++ b/vnet/vnet/ip/ip_frag.c @@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err payload += payload[1] * 8; } + if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) { + //A malicious packet could set an extension header with a too big size + //and make us modify another vlib_buffer + *error = IP6_ERROR_TOO_SHORT; + return; + } + u8 has_more; u16 initial_offset; if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) { |