IPv6 frag: avoid overflow while parsing extension headers

A malicious packet could advertise an extension header length bigger than the actual packet length, which would cause an overflow. Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4 Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
2016-06-29 18:30:29 +02:00
parent 4d5cabde54
commit 0557a91ca7
1 changed files with 7 additions and 0 deletions
--- a/vnet/vnet/ip/ip_frag.c
+++ b/vnet/vnet/ip/ip_frag.c
@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err
    payload += payload[1] * 8;
  }

+  if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+	//A malicious packet could set an extension header with a too big size
+	//and make us modify another vlib_buffer
+	*error = IP6_ERROR_TOO_SHORT;
+	return;
+  }
+
  u8 has_more;
  u16 initial_offset;
  if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {