diff options
author | Klement Sekera <ksekera@cisco.com> | 2021-12-01 10:14:38 +0000 |
---|---|---|
committer | Ole Tr�an <otroan@employees.org> | 2021-12-14 09:10:30 +0000 |
commit | 755042dec0fcc733d456adc2a74042c529eff039 (patch) | |
tree | b5d51eb10f428964e2d4283bf66bda830748399a /src/vnet/ip | |
parent | b97bec0ae58aa7e5a1aca48686143d7b89567ac7 (diff) |
ip: reassembly: drop zero length fragments
Zero length fragments are invalid and should be dropped. This patch adds
that.
Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/vnet/ip')
-rw-r--r-- | src/vnet/ip/ip6_error.h | 1 | ||||
-rw-r--r-- | src/vnet/ip/reass/ip6_full_reass.c | 8 | ||||
-rw-r--r-- | src/vnet/ip/reass/ip6_sv_reass.c | 8 |
3 files changed, 17 insertions, 0 deletions
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h index 8546b4af8d3..6e5df0ef6ba 100644 --- a/src/vnet/ip/ip6_error.h +++ b/src/vnet/ip/ip6_error.h @@ -89,6 +89,7 @@ _ (REASS_NO_BUF, "out of buffers (drop)") \ _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout") \ _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error") \ + _ (REASS_INVALID_FRAG_LEN, "invalid fragment length") \ _ (REASS_UNSUPP_IP_PROTO, "unsupported ip protocol") // clang-format on diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c index fc7fa180ab0..c9509e3345e 100644 --- a/src/vnet/ip/reass/ip6_full_reass.c +++ b/src/vnet/ip/reass/ip6_full_reass.c @@ -41,6 +41,7 @@ typedef enum IP6_FULL_REASS_RC_TOO_MANY_FRAGMENTS, IP6_FULL_REASS_RC_NO_BUF, IP6_FULL_REASS_RC_HANDOFF, + IP6_FULL_REASS_RC_INVALID_FRAG_LEN, } ip6_full_reass_rc_t; typedef struct @@ -888,6 +889,10 @@ ip6_full_reass_update (vlib_main_t *vm, vlib_node_runtime_t *node, u32 fragment_length = vlib_buffer_length_in_chain (vm, fb) - (fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr)); + if (0 == fragment_length) + { + return IP6_FULL_REASS_RC_INVALID_FRAG_LEN; + } u32 fragment_last = fvnb->ip.reass.fragment_last = fragment_first + fragment_length - 1; int more_fragments = ip6_frag_hdr_more (frag_hdr); @@ -1207,6 +1212,9 @@ ip6_full_reassembly_inline (vlib_main_t * vm, case IP6_FULL_REASS_RC_INTERNAL_ERROR: counter = IP6_ERROR_REASS_INTERNAL_ERROR; break; + case IP6_FULL_REASS_RC_INVALID_FRAG_LEN: + counter = IP6_ERROR_REASS_INVALID_FRAG_LEN; + break; } if (~0 != counter) { diff --git a/src/vnet/ip/reass/ip6_sv_reass.c b/src/vnet/ip/reass/ip6_sv_reass.c index 3656c5a8f61..58c7d8d8433 100644 --- a/src/vnet/ip/reass/ip6_sv_reass.c +++ b/src/vnet/ip/reass/ip6_sv_reass.c @@ -41,6 +41,7 @@ typedef enum IP6_SV_REASS_RC_TOO_MANY_FRAGMENTS, IP6_SV_REASS_RC_INTERNAL_ERROR, IP6_SV_REASS_RC_UNSUPP_IP_PROTO, + IP6_SV_REASS_RC_INVALID_FRAG_LEN, } ip6_sv_reass_rc_t; typedef struct @@ -400,6 +401,10 @@ ip6_sv_reass_update (vlib_main_t *vm, vlib_node_runtime_t *node, u32 fragment_length = vlib_buffer_length_in_chain (vm, fb) - (fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr)); + if (0 == fragment_length) + { + return IP6_SV_REASS_RC_INVALID_FRAG_LEN; + } u32 fragment_last = fvnb->ip.reass.fragment_last = fragment_first + fragment_length - 1; fvnb->ip.reass.range_first = fragment_first; @@ -667,6 +672,9 @@ ip6_sv_reassembly_inline (vlib_main_t * vm, case IP6_SV_REASS_RC_INTERNAL_ERROR: counter = IP6_ERROR_REASS_INTERNAL_ERROR; break; + case IP6_SV_REASS_RC_INVALID_FRAG_LEN: + counter = IP6_ERROR_REASS_INVALID_FRAG_LEN; + break; } if (~0 != counter) { |