From 0557a91ca727cee963a8179808d2d2108564ec56 Mon Sep 17 00:00:00 2001
From: Yoann Desmouceaux <ydesmouc@cisco.com>
Date: Wed, 29 Jun 2016 18:30:29 +0200
Subject: IPv6 frag: avoid overflow while parsing extension headers

A malicious packet could advertise an extension header length bigger than
the actual packet length, which would cause an overflow.

Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
---
 vnet/vnet/ip/ip_frag.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c
index 5437c265c95..38befc2b2ea 100644
--- a/vnet/vnet/ip/ip_frag.c
+++ b/vnet/vnet/ip/ip_frag.c
@@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err
     payload += payload[1] * 8;
   }
 
+  if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+	//A malicious packet could set an extension header with a too big size
+	//and make us modify another vlib_buffer
+	*error = IP6_ERROR_TOO_SHORT;
+	return;
+  }
+
   u8 has_more;
   u16 initial_offset;
   if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {
-- 
cgit 1.2.3-korg