mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-10-06 06:39:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

nd6: Handle incorrect ICMP option length in RA

Browse Source 
Make sure ICMPv6 options have a valid length before
parsing them.

Found with afl-fuzz.
This commit is contained in:
Erik Ekman 2016-06-14 14:19:55 +02:00
parent 4e241fbf14
commit d98e25a783
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/core/ipv6/nd6.c
View File

@ -443,6 +443,13 @@ nd6_input(struct pbuf *p, struct netif *inp)
buffer = nd6_ra_buffer; buffer = nd6_ra_buffer;
pbuf_copy_partial(p, buffer, sizeof(struct prefix_option), offset); pbuf_copy_partial(p, buffer, sizeof(struct prefix_option), offset);
} }
if (buffer[1] == 0) {
/* zero-length extension. drop packet */
pbuf_free(p);
ND6_STATS_INC(nd6.lenerr);
ND6_STATS_INC(nd6.drop);
return;
}
switch (buffer[0]) { switch (buffer[0]) {
case ND6_OPTION_TYPE_SOURCE_LLADDR: case ND6_OPTION_TYPE_SOURCE_LLADDR:
{ {
@ -511,6 +518,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
ND6_STATS_INC(nd6.proterr); ND6_STATS_INC(nd6.proterr);
break; break;
} }
/* option length is checked earlier to be non-zero to make sure loop ends */
offset += 8 * ((u16_t)buffer[1]); offset += 8 * ((u16_t)buffer[1]);
} }