From f53b7d5e97665b6598adc376f214ed88bf2b33d4 Mon Sep 17 00:00:00 2001
From: Yoann Desmouceaux <ydesmouc@cisco.com>
Date: Mon, 11 Apr 2016 10:38:23 +0200
Subject: Fix possible infinite loop in IPv6 hop-by-hop header parsing

Unknown hop-by-hop options are currently not processed, which triggers an
infinite loop due to the pointer not advancing further in the header.

Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
---
 vnet/vnet/ip/ip6_hop_by_hop.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/vnet/vnet/ip/ip6_hop_by_hop.c b/vnet/vnet/ip/ip6_hop_by_hop.c
index 74f79506007..bd96c9b0a28 100644
--- a/vnet/vnet/ip/ip6_hop_by_hop.c
+++ b/vnet/vnet/ip/ip6_hop_by_hop.c
@@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm,
                 case 0: /* Pad */
                   opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1;
                   goto out0;
+
+                default:
+                  opt0 = (ip6_hop_by_hop_option_t *)
+                  (((u8 *)opt0) + opt0->length
+                  + sizeof (ip6_hop_by_hop_option_t));
+                  break;
                 }
             }
 
-- 
cgit 1.2.3-korg