From 936197467aac08b7620c9cb0614817b90466968e Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Tue, 31 Mar 2020 01:49:40 +0000 Subject: udp: validate input data length Type: fix Signed-off-by: Florin Coras Change-Id: I3f34011ca61ded310d0411e7b50548982bd164ac --- src/vnet/udp/udp_input.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'src/vnet/udp/udp_input.c') diff --git a/src/vnet/udp/udp_input.c b/src/vnet/udp/udp_input.c index bd4e75710f5..453e123f02e 100644 --- a/src/vnet/udp/udp_input.c +++ b/src/vnet/udp/udp_input.c @@ -89,7 +89,7 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, while (n_left_from > 0) { - u32 bi0, fib_index0; + u32 bi0, fib_index0, data_len; vlib_buffer_t *b0; u32 error0 = UDP_ERROR_ENQUEUED; udp_header_t *udp0; @@ -125,7 +125,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, udp0->src_port, TRANSPORT_PROTO_UDP); lcl_addr = &ip40->dst_address; rmt_addr = &ip40->src_address; - + data_len = clib_net_to_host_u16 (ip40->length); + data_len -= sizeof (ip4_header_t) + sizeof (udp_header_t); } else { @@ -135,6 +136,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, udp0->src_port, TRANSPORT_PROTO_UDP); lcl_addr = &ip60->dst_address; rmt_addr = &ip60->src_address; + data_len = clib_net_to_host_u16 (ip60->payload_length); + data_len -= sizeof (udp_header_t); } if (PREDICT_FALSE (!s0)) @@ -228,12 +231,12 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (svm_fifo_max_enqueue_prod (s0->rx_fifo) - < b0->current_length + sizeof (session_dgram_hdr_t)) + < data_len + sizeof (session_dgram_hdr_t)) { error0 = UDP_ERROR_FIFO_FULL; goto trace0; } - hdr0.data_length = b0->current_length; + hdr0.data_length = b0->current_length = data_len; hdr0.data_offset = 0; ip_set (&hdr0.lcl_ip, lcl_addr, is_ip4); ip_set (&hdr0.rmt_ip, rmt_addr, is_ip4); -- cgit 1.2.3-korg