Fix possible infinite loop in IPv6 hop-by-hop header parsing

Unknown hop-by-hop options are currently not processed, which triggers an infinite loop due to the pointer not advancing further in the header. Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8 Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
2016-04-11 10:38:23 +02:00
parent 5ac4a0f76a
commit f53b7d5e97
1 changed files with 6 additions and 0 deletions
--- a/vnet/vnet/ip/ip6_hop_by_hop.c
+++ b/vnet/vnet/ip/ip6_hop_by_hop.c
@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm,
                case 0: /* Pad */
                  opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1;
                  goto out0;
+
+                default:
+                  opt0 = (ip6_hop_by_hop_option_t *)
+                  (((u8 *)opt0) + opt0->length
+                  + sizeof (ip6_hop_by_hop_option_t));
+                  break;
                }
            }