mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2025-01-12 21:41:28 +00:00
ipv6 ready: Hop-by-Hop and destination option header must be checked more detailed (see patch #9455)
Hop-by-Hop, Destination option header structures consist of 2 unsigned char; next option type and header length field. And TLV(Type-Length-Value) option headers come by the number in header length field. If the option type in TLV option header is not recognized and 2 MSB is not 0, it is handled as an exception. Signed-off-by: goldsimon <goldsimon@gmx.de>
This commit is contained in:
parent
acb4b60517
commit
72171c12b5
@ -837,9 +837,18 @@ netif_found:
|
|||||||
default:
|
default:
|
||||||
goto options_done;
|
goto options_done;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
options_done:
|
|
||||||
|
|
||||||
|
if (*nexth == IP6_NEXTH_HOPBYHOP) {
|
||||||
|
/* Hop-by-Hop header comes only as a first option */
|
||||||
|
icmp6_param_problem(p, ICMP6_PP_HEADER, nexth);
|
||||||
|
LWIP_DEBUGF(IP6_DEBUG, ("ip6_input: packet with Hop-by-Hop options header dropped (only valid as a first option)\n"));
|
||||||
|
pbuf_free(p);
|
||||||
|
IP6_STATS_INC(ip6.drop);
|
||||||
|
goto ip6_input_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
options_done:
|
||||||
if (hlen_tot >= 0x8000) {
|
if (hlen_tot >= 0x8000) {
|
||||||
/* s16_t overflow */
|
/* s16_t overflow */
|
||||||
LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS, ("ip6_input: header length overflow: %"U16_F"\n", hlen_tot));
|
LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS, ("ip6_input: header length overflow: %"U16_F"\n", hlen_tot));
|
||||||
|
Loading…
Reference in New Issue
Block a user