aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ip/ip_frag.c
diff options
context:
space:
mode:
authorJuraj Sloboda <jsloboda@cisco.com>2018-10-16 12:18:21 +0200
committerMarco Varlese <marco.varlese@suse.de>2018-10-22 21:02:51 +0000
commit78d828eff35fc03c143810de35ceb11c4e5224ed (patch)
tree6b12de93a52640366e651b938bfb967cdb8a0781 /src/vnet/ip/ip_frag.c
parent9734c0a494a0cb62bfb4bd9fff19086bd95ba5fa (diff)
Fix buffer overflow when fragmenting packets (VPP-1383)
Change-Id: Idcda9ae55fa2efb0b2e928bac3e8e86ff8d19eba Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
Diffstat (limited to 'src/vnet/ip/ip_frag.c')
-rw-r--r--src/vnet/ip/ip_frag.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/vnet/ip/ip_frag.c b/src/vnet/ip/ip_frag.c
index 628d9d66474..8de4dfc5d58 100644
--- a/src/vnet/ip/ip_frag.c
+++ b/src/vnet/ip/ip_frag.c
@@ -101,7 +101,8 @@ ip4_frag_do_fragment (vlib_main_t * vm, u32 from_bi, u32 ** buffer,
ip4 = (ip4_header_t *) vlib_buffer_get_current (from_b);
rem = clib_net_to_host_u16 (ip4->length) - sizeof (ip4_header_t);
- max = (mtu - sizeof (ip4_header_t)) & ~0x7;
+ max =
+ (clib_min (mtu, VLIB_BUFFER_DATA_SIZE) - sizeof (ip4_header_t)) & ~0x7;
if (rem >
(vlib_buffer_length_in_chain (vm, from_b) - sizeof (ip4_header_t)))
@@ -152,7 +153,7 @@ ip4_frag_do_fragment (vlib_main_t * vm, u32 from_bi, u32 ** buffer,
ip4_header_t *to_ip4;
u8 *to_data;
- len = (rem > (mtu - sizeof (ip4_header_t)) ? max : rem);
+ len = (rem > max ? max : rem);
if (len != rem) /* Last fragment does not need to divisible by 8 */
len &= ~0x7;
if ((to_b = frag_buffer_alloc (org_from_b, &to_bi)) == 0)