diff options
author | Ole Troan <ot@cisco.com> | 2021-11-23 15:55:39 +0100 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2021-12-03 09:35:30 +0000 |
commit | 03092c1982468ff6ffe260b0215f910d4c486b04 (patch) | |
tree | 0d58999070b677d38e2aa2f5da4341383beedbb3 /src/vnet/ip/reass/ip6_full_reass.c | |
parent | 2008912b56abbf3167faf9b787df76605684d9e1 (diff) |
ip: extension header parsing fails for fragment header
Refactor and improve boundary checking on IPv6 extension header handling.
Limit parsing of IPv6 extension headers to a maximum of 4 headers and a
depth of 256 bytes.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ide40aaa2b482ceef7e92f02fa0caeadb3b8f7556
Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'src/vnet/ip/reass/ip6_full_reass.c')
-rw-r--r-- | src/vnet/ip/reass/ip6_full_reass.c | 71 |
1 files changed, 37 insertions, 34 deletions
diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c index 8486aea6753..901da99c85d 100644 --- a/src/vnet/ip/reass/ip6_full_reass.c +++ b/src/vnet/ip/reass/ip6_full_reass.c @@ -25,6 +25,7 @@ #include <vnet/ip/ip.h> #include <vppinfra/bihash_48_8.h> #include <vnet/ip/reass/ip6_full_reass.h> +#include <vnet/ip/ip6_inlines.h> #define MSEC_PER_SEC 1000 #define IP6_FULL_REASS_TIMEOUT_DEFAULT_MS 100 @@ -729,19 +730,27 @@ ip6_full_reass_finalize (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_buffer_opaque_t *first_b_vnb = vnet_buffer (first_b); ip6_header_t *ip = vlib_buffer_get_current (first_b); u16 ip6_frag_hdr_offset = first_b_vnb->ip.reass.ip6_frag_hdr_offset; - ip6_ext_header_t *prev_hdr; - frag_hdr = - ip6_ext_header_find (vm, first_b, ip, IP_PROTOCOL_IPV6_FRAGMENTATION, - &prev_hdr); - if (prev_hdr) + ip6_ext_hdr_chain_t hdr_chain; + ip6_ext_header_t *prev_hdr = 0; + int res = ip6_ext_header_walk (first_b, ip, IP_PROTOCOL_IPV6_FRAGMENTATION, + &hdr_chain); + if (res < 0 || + (hdr_chain.eh[res].protocol != IP_PROTOCOL_IPV6_FRAGMENTATION)) { + rv = IP6_FULL_REASS_RC_INTERNAL_ERROR; + goto free_buffers_and_return; + } + frag_hdr = ip6_ext_next_header_offset (ip, hdr_chain.eh[res].offset); + if (res > 0) + { + prev_hdr = ip6_ext_next_header_offset (ip, hdr_chain.eh[res - 1].offset); prev_hdr->next_hdr = frag_hdr->next_hdr; } else { ip->protocol = frag_hdr->next_hdr; } - if (!((u8 *) frag_hdr - (u8 *) ip == ip6_frag_hdr_offset)) + if (hdr_chain.eh[res].offset != ip6_frag_hdr_offset) { rv = IP6_FULL_REASS_RC_INTERNAL_ERROR; goto free_buffers_and_return; @@ -982,22 +991,18 @@ check_if_done_maybe: } always_inline bool -ip6_full_reass_verify_upper_layer_present (vlib_node_runtime_t * node, - vlib_buffer_t * b, - ip6_frag_hdr_t * frag_hdr) +ip6_full_reass_verify_upper_layer_present (vlib_node_runtime_t *node, + vlib_buffer_t *b, + ip6_ext_hdr_chain_t *hc) { - ip6_ext_header_t *tmp = (ip6_ext_header_t *) frag_hdr; - while (ip6_ext_hdr (tmp->next_hdr)) + int nh = hc->eh[hc->length - 1].protocol; + /* Checking to see if it's a terminating header */ + if (ip6_ext_hdr (nh)) { - tmp = ip6_ext_next_header (tmp); - } - if (IP_PROTOCOL_IP6_NONXT == tmp->next_hdr) - { - icmp6_error_set_vnet_buffer (b, ICMP6_parameter_problem, - ICMP6_parameter_problem_first_fragment_has_incomplete_header_chain, - 0); + icmp6_error_set_vnet_buffer ( + b, ICMP6_parameter_problem, + ICMP6_parameter_problem_first_fragment_has_incomplete_header_chain, 0); b->error = node->errors[IP6_ERROR_REASS_MISSING_UPPER]; - return false; } return true; @@ -1076,29 +1081,27 @@ ip6_full_reassembly_inline (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); ip6_header_t *ip0 = vlib_buffer_get_current (b0); - ip6_frag_hdr_t *frag_hdr = NULL; - ip6_ext_header_t *prev_hdr; - if (ip6_ext_hdr (ip0->protocol)) - { - frag_hdr = - ip6_ext_header_find (vm, b0, ip0, - IP_PROTOCOL_IPV6_FRAGMENTATION, - &prev_hdr); - } - if (!frag_hdr) + ip6_frag_hdr_t *frag_hdr; + ip6_ext_hdr_chain_t hdr_chain; + int res = ip6_ext_header_walk ( + b0, ip0, IP_PROTOCOL_IPV6_FRAGMENTATION, &hdr_chain); + if (res < 0 || + hdr_chain.eh[res].protocol != IP_PROTOCOL_IPV6_FRAGMENTATION) { - // this is a regular packet - no fragmentation - next0 = IP6_FULL_REASSEMBLY_NEXT_INPUT; + // this is a mangled packet - no fragmentation + next0 = IP6_FULL_REASSEMBLY_NEXT_DROP; goto skip_reass; } + frag_hdr = + ip6_ext_next_header_offset (ip0, hdr_chain.eh[res].offset); vnet_buffer (b0)->ip.reass.ip6_frag_hdr_offset = - (u8 *) frag_hdr - (u8 *) ip0; + hdr_chain.eh[res].offset; if (0 == ip6_frag_hdr_offset (frag_hdr)) { // first fragment - verify upper-layer is present - if (!ip6_full_reass_verify_upper_layer_present - (node, b0, frag_hdr)) + if (!ip6_full_reass_verify_upper_layer_present (node, b0, + &hdr_chain)) { next0 = IP6_FULL_REASSEMBLY_NEXT_ICMP_ERROR; goto skip_reass; |