michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: contiki: Check IPv6 extension header length

Browse source 
If the received packet is corrupted and the IPv6 extension
header is too big, then just discard the packet.

Change-Id: I5071fc48a927d14f02ed3dda199f67c095d05b91
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
This commit is contained in:
Jukka Rissanen 2016-03-21 14:20:20 +02:00 committed by Gerrit Code Review
commit 3f9e87c318
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
net/ip/contiki/ipv6/uip6.c
View file

@ -878,6 +878,12 @@ ext_hdr_options_process(struct net_buf *buf)
* 8 bytes, excluding the first 8 bytes * 8 bytes, excluding the first 8 bytes
* length field in an option : the length of data in the option * length field in an option : the length of data in the option
*/ */
if (((UIP_EXT_BUF(buf)->len << 3) + 8) > buf->len) {
PRINTF("Corrupted packet, extension header %d too long (max %d bytes)\n",
(UIP_EXT_BUF(buf)->len << 3) + 8, buf->len);
return 1; /* invalid packet, drop it */
}
uip_ext_opt_offset(buf) = 2; uip_ext_opt_offset(buf) = 2;
while(uip_ext_opt_offset(buf) < ((UIP_EXT_BUF(buf)->len << 3) + 8)) { while(uip_ext_opt_offset(buf) < ((UIP_EXT_BUF(buf)->len << 3) + 8)) {
switch(UIP_EXT_HDR_OPT_BUF(buf)->type) { switch(UIP_EXT_HDR_OPT_BUF(buf)->type) {