From 72171c12b56d1a3ed9f903ea0e09de3faebe0c05 Mon Sep 17 00:00:00 2001 From: Jisu Kim Date: Tue, 19 Sep 2017 14:12:10 +0200 Subject: [PATCH] ipv6 ready: Hop-by-Hop and destination option header must be checked more detailed (see patch #9455) Hop-by-Hop, Destination option header structures consist of 2 unsigned char; next option type and header length field. And TLV(Type-Length-Value) option headers come by the number in header length field. If the option type in TLV option header is not recognized and 2 MSB is not 0, it is handled as an exception. Signed-off-by: goldsimon --- src/core/ipv6/ip6.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/core/ipv6/ip6.c b/src/core/ipv6/ip6.c index 9f509ea5..265bba3e 100644 --- a/src/core/ipv6/ip6.c +++ b/src/core/ipv6/ip6.c @@ -837,9 +837,18 @@ netif_found: default: goto options_done; } - } -options_done: + if (*nexth == IP6_NEXTH_HOPBYHOP) { + /* Hop-by-Hop header comes only as a first option */ + icmp6_param_problem(p, ICMP6_PP_HEADER, nexth); + LWIP_DEBUGF(IP6_DEBUG, ("ip6_input: packet with Hop-by-Hop options header dropped (only valid as a first option)\n")); + pbuf_free(p); + IP6_STATS_INC(ip6.drop); + goto ip6_input_cleanup; + } + } + +options_done: if (hlen_tot >= 0x8000) { /* s16_t overflow */ LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS, ("ip6_input: header length overflow: %"U16_F"\n", hlen_tot));