VPP-1523: harden reassembly

Change-Id: I00d7b38bd99e81e3921ce08cce50d613f11de36e Signed-off-by: Klement Sekera <ksekera@cisco.com>
author: Klement Sekera <ksekera@cisco.com> 2018-12-14 12:00:44 +0100
committer: Florin Coras <florin.coras@gmail.com> 2018-12-16 01:01:12 +0000
commit: 4ee633e84af18e9237554df2015a332749dc358a (patch)
tree: 2dc8ca1af04353d6bcb352527ad940312bea3423 /src/vnet
parent: ae8098350cb7b96f7495fa4d4180238064256e14 (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c
index 346b223416e..3e9d22f7e55 100644
--- a/src/vnet/ip/ip4_reassembly.c
+++ b/src/vnet/ip/ip4_reassembly.c
@@ -930,13 +930,11 @@ ip4_reassembly_inline (vlib_main_t * vm,
 	    }
 	  else
 	    {
-	      ip4_header_t *fip = vlib_buffer_get_current (b0);
-	      const u32 fragment_first = ip4_get_fragment_offset_bytes (fip);
+	      const u32 fragment_first = ip4_get_fragment_offset_bytes (ip0);
 	      const u32 fragment_length =
-		clib_net_to_host_u16 (fip->length) - ip4_header_bytes (fip);
+		clib_net_to_host_u16 (ip0->length) - ip4_header_bytes (ip0);
 	      const u32 fragment_last = fragment_first + fragment_length - 1;
-	      if (fragment_first > fragment_last
-		  || fragment_first + fragment_length > UINT16_MAX - 20)
+	      if (fragment_first > fragment_last || fragment_first + fragment_length > UINT16_MAX - 20 || (fragment_length < 8 && ip4_get_fragment_more (ip0)))	// 8 is minimum frag length per RFC 791
 		{
 		  next0 = IP4_REASSEMBLY_NEXT_DROP;
 		  error0 = IP4_ERROR_REASS_MALFORMED_PACKET;
author	Klement Sekera <ksekera@cisco.com>	2018-12-14 12:00:44 +0100
committer	Florin Coras <florin.coras@gmail.com>	2018-12-16 01:01:12 +0000
commit	4ee633e84af18e9237554df2015a332749dc358a (patch)
tree	2dc8ca1af04353d6bcb352527ad940312bea3423 /src/vnet
parent	ae8098350cb7b96f7495fa4d4180238064256e14 (diff)