summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2020-03-31 01:49:40 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2020-08-13 10:39:40 +0000
commitfaab8a17b881b743aa56d8a9dd9cde83a04dd890 (patch)
tree0495271addaaf1993217d6ac431d8a09f57b46a3
parentdf16414818d3d20d8dc34c6efa1f024bc2caaf77 (diff)
udp: validate input data length
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3f34011ca61ded310d0411e7b50548982bd164ac (cherry picked from commit 936197467aac08b7620c9cb0614817b90466968e)
-rw-r--r--src/vnet/udp/udp_input.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/vnet/udp/udp_input.c b/src/vnet/udp/udp_input.c
index bd4e75710f5..453e123f02e 100644
--- a/src/vnet/udp/udp_input.c
+++ b/src/vnet/udp/udp_input.c
@@ -89,7 +89,7 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
while (n_left_from > 0)
{
- u32 bi0, fib_index0;
+ u32 bi0, fib_index0, data_len;
vlib_buffer_t *b0;
u32 error0 = UDP_ERROR_ENQUEUED;
udp_header_t *udp0;
@@ -125,7 +125,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
udp0->src_port, TRANSPORT_PROTO_UDP);
lcl_addr = &ip40->dst_address;
rmt_addr = &ip40->src_address;
-
+ data_len = clib_net_to_host_u16 (ip40->length);
+ data_len -= sizeof (ip4_header_t) + sizeof (udp_header_t);
}
else
{
@@ -135,6 +136,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
udp0->src_port, TRANSPORT_PROTO_UDP);
lcl_addr = &ip60->dst_address;
rmt_addr = &ip60->src_address;
+ data_len = clib_net_to_host_u16 (ip60->payload_length);
+ data_len -= sizeof (udp_header_t);
}
if (PREDICT_FALSE (!s0))
@@ -228,12 +231,12 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (svm_fifo_max_enqueue_prod (s0->rx_fifo)
- < b0->current_length + sizeof (session_dgram_hdr_t))
+ < data_len + sizeof (session_dgram_hdr_t))
{
error0 = UDP_ERROR_FIFO_FULL;
goto trace0;
}
- hdr0.data_length = b0->current_length;
+ hdr0.data_length = b0->current_length = data_len;
hdr0.data_offset = 0;
ip_set (&hdr0.lcl_ip, lcl_addr, is_ip4);
ip_set (&hdr0.rmt_ip, rmt_addr, is_ip4);