summaryrefslogtreecommitdiffstats
path: root/src/vnet/ip
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ip')
-rw-r--r--src/vnet/ip/ip.api6
-rw-r--r--src/vnet/ip/ip4_input.h8
2 files changed, 11 insertions, 3 deletions
diff --git a/src/vnet/ip/ip.api b/src/vnet/ip/ip.api
index 23e094b48a0..8a6ecc8da2f 100644
--- a/src/vnet/ip/ip.api
+++ b/src/vnet/ip/ip.api
@@ -1020,6 +1020,12 @@ counters ip4 {
units "packets";
description "ip4 ttl <= 1";
};
+ hdr_too_short {
+ severity error;
+ type counter64;
+ units "packets";
+ description "ip4 IHL < 5";
+ };
/* Errors signalled by ip4-rewrite. */
mtu_exceeded {
diff --git a/src/vnet/ip/ip4_input.h b/src/vnet/ip/ip4_input.h
index 57aef0bf77a..d2ed13fa35f 100644
--- a/src/vnet/ip/ip4_input.h
+++ b/src/vnet/ip/ip4_input.h
@@ -60,15 +60,17 @@ check_ver_opt_csum (ip4_header_t * ip, u8 * error, int verify_checksum)
{
if (PREDICT_FALSE (ip->ip_version_and_header_length != 0x45))
{
- if ((ip->ip_version_and_header_length & 0xf) != 5)
+ if ((ip->ip_version_and_header_length & 0xf0) != 0x40)
+ *error = IP4_ERROR_VERSION;
+ else if ((ip->ip_version_and_header_length & 0x0f) < 5)
+ *error = IP4_ERROR_HDR_TOO_SHORT;
+ else
{
*error = IP4_ERROR_OPTIONS;
if (verify_checksum &&
clib_ip_csum ((u8 *) ip, ip4_header_bytes (ip)) != 0)
*error = IP4_ERROR_BAD_CHECKSUM;
}
- else
- *error = IP4_ERROR_VERSION;
}
else if (PREDICT_FALSE (verify_checksum &&
clib_ip_csum ((u8 *) ip, sizeof (ip4_header_t)) !=