ip: extension header parsing fails for fragment header

Refactor and improve boundary checking on IPv6 extension header handling. Limit parsing of IPv6 extension headers to a maximum of 4 headers and a depth of 256 bytes. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ide40aaa2b482ceef7e92f02fa0caeadb3b8f7556 Signed-off-by: Ole Troan <ot@cisco.com>
author: Ole Troan <ot@cisco.com> 2021-11-23 15:55:39 +0100
committer: Damjan Marion <dmarion@me.com> 2021-12-03 09:35:30 +0000
commit: 03092c1982468ff6ffe260b0215f910d4c486b04 (patch)
tree: 0d58999070b677d38e2aa2f5da4341383beedbb3 /src/vnet/ip/ip6_forward.c
parent: 2008912b56abbf3167faf9b787df76605684d9e1 (diff)
1 files changed, 5 insertions, 8 deletions
diff --git a/src/vnet/ip/ip6_forward.c b/src/vnet/ip/ip6_forward.c
index 9ee3d11cef2..5b7704e460e 100644
--- a/src/vnet/ip/ip6_forward.c
+++ b/src/vnet/ip/ip6_forward.c
@@ -1227,14 +1227,11 @@ always_inline u8
 ip6_next_proto_is_tcp_udp (vlib_buffer_t * p0, ip6_header_t * ip0,
 			   u32 * udp_offset0)
 {
-  u32 proto0;
-  proto0 = ip6_locate_header (p0, ip0, IP_PROTOCOL_UDP, udp_offset0);
-  if (proto0 != IP_PROTOCOL_UDP)
-    {
-      proto0 = ip6_locate_header (p0, ip0, IP_PROTOCOL_TCP, udp_offset0);
-      proto0 = (proto0 == IP_PROTOCOL_TCP) ? proto0 : 0;
-    }
-  return proto0;
+  int nh = ip6_locate_header (p0, ip0, -1, udp_offset0);
+  if (nh > 0)
+    if (nh == IP_PROTOCOL_UDP || nh == IP_PROTOCOL_TCP)
+      return nh;
+  return 0;
 }
 
 /* *INDENT-OFF* */
author	Ole Troan <ot@cisco.com>	2021-11-23 15:55:39 +0100
committer	Damjan Marion <dmarion@me.com>	2021-12-03 09:35:30 +0000
commit	03092c1982468ff6ffe260b0215f910d4c486b04 (patch)
tree	0d58999070b677d38e2aa2f5da4341383beedbb3 /src/vnet/ip/ip6_forward.c
parent	2008912b56abbf3167faf9b787df76605684d9e1 (diff)