From d98e25a783a5b1ee9813b8337232384660fd545f Mon Sep 17 00:00:00 2001
From: Erik Ekman <erik.ekman@verisure.com>
Date: Tue, 14 Jun 2016 14:19:55 +0200
Subject: [PATCH] nd6: Handle incorrect ICMP option length in RA

Make sure ICMPv6 options have a valid length before
parsing them.

Found with afl-fuzz.
---
 src/core/ipv6/nd6.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/core/ipv6/nd6.c b/src/core/ipv6/nd6.c
index fc85af66..5a4df305 100644
--- a/src/core/ipv6/nd6.c
+++ b/src/core/ipv6/nd6.c
@@ -443,6 +443,13 @@ nd6_input(struct pbuf *p, struct netif *inp)
         buffer = nd6_ra_buffer;
         pbuf_copy_partial(p, buffer, sizeof(struct prefix_option), offset);
       }
+      if (buffer[1] == 0) {
+        /* zero-length extension. drop packet */
+        pbuf_free(p);
+        ND6_STATS_INC(nd6.lenerr);
+        ND6_STATS_INC(nd6.drop);
+        return;
+      }
       switch (buffer[0]) {
       case ND6_OPTION_TYPE_SOURCE_LLADDR:
       {
@@ -511,6 +518,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
         ND6_STATS_INC(nd6.proterr);
         break;
       }
+      /* option length is checked earlier to be non-zero to make sure loop ends */
       offset += 8 * ((u16_t)buffer[1]);
     }