aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Desmouceaux <ydesmouc@cisco.com>2016-06-29 18:30:29 +0200
committerDave Barach <openvpp@barachs.net>2016-07-08 14:17:19 +0000
commit0557a91ca727cee963a8179808d2d2108564ec56 (patch)
tree325e06f1a05082ff23f6b15548babff2ac796767
parent4d5cabde54f847bccd365c64682e428aead30550 (diff)
IPv6 frag: avoid overflow while parsing extension headers
A malicious packet could advertise an extension header length bigger than the actual packet length, which would cause an overflow. Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4 Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
-rw-r--r--vnet/vnet/ip/ip_frag.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c
index 5437c265..38befc2b 100644
--- a/vnet/vnet/ip/ip_frag.c
+++ b/vnet/vnet/ip/ip_frag.c
@@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err
payload += payload[1] * 8;
}
+ if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+ //A malicious packet could set an extension header with a too big size
+ //and make us modify another vlib_buffer
+ *error = IP6_ERROR_TOO_SHORT;
+ return;
+ }
+
u8 has_more;
u16 initial_offset;
if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {