diff options
author | Yoann Desmouceaux <ydesmouc@cisco.com> | 2016-04-11 10:38:23 +0200 |
---|---|---|
committer | Gerrit Code Review <gerrit@fd.io> | 2016-04-11 14:49:56 +0000 |
commit | f53b7d5e97665b6598adc376f214ed88bf2b33d4 (patch) | |
tree | 6481b38236976132b7e2736a97217966c2214030 | |
parent | 5ac4a0f76a4f871e6e330e038d297d2d1c4c4f38 (diff) |
Fix possible infinite loop in IPv6 hop-by-hop header parsing
Unknown hop-by-hop options are currently not processed, which triggers an
infinite loop due to the pointer not advancing further in the header.
Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
-rw-r--r-- | vnet/vnet/ip/ip6_hop_by_hop.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/vnet/vnet/ip/ip6_hop_by_hop.c b/vnet/vnet/ip/ip6_hop_by_hop.c index 74f79506007..bd96c9b0a28 100644 --- a/vnet/vnet/ip/ip6_hop_by_hop.c +++ b/vnet/vnet/ip/ip6_hop_by_hop.c @@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm, case 0: /* Pad */ opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1; goto out0; + + default: + opt0 = (ip6_hop_by_hop_option_t *) + (((u8 *)opt0) + opt0->length + + sizeof (ip6_hop_by_hop_option_t)); + break; } } |