From 61e067b98a1f58632f0ff4a7573a79a884812098 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Fri, 17 Jun 2016 09:36:14 +0200
Subject: [PATCH] Check for minimum IPv4 header length in rx packets

---
 src/core/ipv4/icmp.c | 4 ++++
 src/core/ipv4/ip4.c  | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/core/ipv4/icmp.c b/src/core/ipv4/icmp.c
index 9202bb65..fdbe01c1 100644
--- a/src/core/ipv4/icmp.c
+++ b/src/core/ipv4/icmp.c
@@ -89,6 +89,10 @@ icmp_input(struct pbuf *p, struct netif *inp)
 
   iphdr_in = ip4_current_header();
   hlen = IPH_HL(iphdr_in) * 4;
+  if (hlen < IP_HLEN) {
+    LWIP_DEBUGF(ICMP_DEBUG, ("icmp_input: short IP header (%"S16_F" bytes) received\n", hlen));
+    goto lenerr;
+  }
   if (p->len < sizeof(u16_t)*2) {
     LWIP_DEBUGF(ICMP_DEBUG, ("icmp_input: short ICMP (%"U16_F" bytes) received\n", p->tot_len));
     goto lenerr;
diff --git a/src/core/ipv4/ip4.c b/src/core/ipv4/ip4.c
index 056a4946..184cfce7 100644
--- a/src/core/ipv4/ip4.c
+++ b/src/core/ipv4/ip4.c
@@ -410,7 +410,11 @@ ip4_input(struct pbuf *p, struct netif *inp)
   }
 
   /* header length exceeds first pbuf length, or ip length exceeds total pbuf length? */
-  if ((iphdr_hlen > p->len) || (iphdr_len > p->tot_len)) {
+  if ((iphdr_hlen > p->len) || (iphdr_len > p->tot_len) || (iphdr_hlen < IP_HLEN)) {
+    if (iphdr_hlen < IP_HLEN) {
+      LWIP_DEBUGF(IP_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
+        ("ip4_input: short IP header (%"U16_F" bytes) received, IP packet dropped\n", iphdr_hlen));
+    }
     if (iphdr_hlen > p->len) {
       LWIP_DEBUGF(IP_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
         ("IP header (len %"U16_F") does not fit in first pbuf (len %"U16_F"), IP packet dropped.\n",