From 4ee633e84af18e9237554df2015a332749dc358a Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Fri, 14 Dec 2018 12:00:44 +0100
Subject: VPP-1523: harden reassembly

Change-Id: I00d7b38bd99e81e3921ce08cce50d613f11de36e
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/vnet/ip/ip4_reassembly.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'src/vnet/ip/ip4_reassembly.c')

diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c
index 346b223416e..3e9d22f7e55 100644
--- a/src/vnet/ip/ip4_reassembly.c
+++ b/src/vnet/ip/ip4_reassembly.c
@@ -930,13 +930,11 @@ ip4_reassembly_inline (vlib_main_t * vm,
 	    }
 	  else
 	    {
-	      ip4_header_t *fip = vlib_buffer_get_current (b0);
-	      const u32 fragment_first = ip4_get_fragment_offset_bytes (fip);
+	      const u32 fragment_first = ip4_get_fragment_offset_bytes (ip0);
 	      const u32 fragment_length =
-		clib_net_to_host_u16 (fip->length) - ip4_header_bytes (fip);
+		clib_net_to_host_u16 (ip0->length) - ip4_header_bytes (ip0);
 	      const u32 fragment_last = fragment_first + fragment_length - 1;
-	      if (fragment_first > fragment_last
-		  || fragment_first + fragment_length > UINT16_MAX - 20)
+	      if (fragment_first > fragment_last || fragment_first + fragment_length > UINT16_MAX - 20 || (fragment_length < 8 && ip4_get_fragment_more (ip0)))	// 8 is minimum frag length per RFC 791
 		{
 		  next0 = IP4_REASSEMBLY_NEXT_DROP;
 		  error0 = IP4_ERROR_REASS_MALFORMED_PACKET;
-- 
cgit 1.2.3-korg