udp: validate input data length
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3f34011ca61ded310d0411e7b50548982bd164ac
This commit is contained in:
Florin Coras
committed by
Dave Barach
Dave Barach
parent
8c18f85d32
commit
936197467a
@ -89,7 +89,7 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
|
||||
while (n_left_from > 0)
|
||||
{
|
||||
u32 bi0, fib_index0;
|
||||
u32 bi0, fib_index0, data_len;
|
||||
vlib_buffer_t *b0;
|
||||
u32 error0 = UDP_ERROR_ENQUEUED;
|
||||
udp_header_t *udp0;
|
||||
@ -125,7 +125,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
udp0->src_port, TRANSPORT_PROTO_UDP);
|
||||
lcl_addr = &ip40->dst_address;
|
||||
rmt_addr = &ip40->src_address;
|
||||
|
||||
data_len = clib_net_to_host_u16 (ip40->length);
|
||||
data_len -= sizeof (ip4_header_t) + sizeof (udp_header_t);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -135,6 +136,8 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
udp0->src_port, TRANSPORT_PROTO_UDP);
|
||||
lcl_addr = &ip60->dst_address;
|
||||
rmt_addr = &ip60->src_address;
|
||||
data_len = clib_net_to_host_u16 (ip60->payload_length);
|
||||
data_len -= sizeof (udp_header_t);
|
||||
}
|
||||
|
||||
if (PREDICT_FALSE (!s0))
|
||||
@ -228,12 +231,12 @@ udp46_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
|
||||
|
||||
|
||||
if (svm_fifo_max_enqueue_prod (s0->rx_fifo)
|
||||
< b0->current_length + sizeof (session_dgram_hdr_t))
|
||||
< data_len + sizeof (session_dgram_hdr_t))
|
||||
{
|
||||
error0 = UDP_ERROR_FIFO_FULL;
|
||||
goto trace0;
|
||||
}
|
||||
hdr0.data_length = b0->current_length;
|
||||
hdr0.data_length = b0->current_length = data_len;
|
||||
hdr0.data_offset = 0;
|
||||
ip_set (&hdr0.lcl_ip, lcl_addr, is_ip4);
|
||||
ip_set (&hdr0.rmt_ip, rmt_addr, is_ip4);
|
||||
|
||||
Reference in New Issue
Block a user