From fda778f6b63e390c56eeb9995cd79556b404dac1 Mon Sep 17 00:00:00 2001 From: goldsimon Date: Thu, 16 Jun 2016 13:51:38 +0200 Subject: [PATCH] ip6_reass: don't crash if frag header isn't the first (or not in the first pbuf) --- src/core/ipv6/ip6_frag.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/core/ipv6/ip6_frag.c b/src/core/ipv6/ip6_frag.c index c9e13cd2..b950c194 100644 --- a/src/core/ipv6/ip6_frag.c +++ b/src/core/ipv6/ip6_frag.c @@ -268,8 +268,12 @@ ip6_reass(struct pbuf *p) IP6_FRAG_STATS_INC(ip6_frag.recv); - LWIP_ASSERT("ip6_frag_hdr must be in the first pbuf, not chained", - (const void*)ip6_current_header() == ((u8_t*)p->payload) - IP6_HLEN); + if ((const void*)ip6_current_header() != ((u8_t*)p->payload) - IP6_HLEN) { + /* ip6_frag_hdr must be in the first pbuf, not chained */ + IP6_FRAG_STATS_INC(ip6_frag.proterr); + IP6_FRAG_STATS_INC(ip6_frag.drop); + goto nullreturn; + } frag_hdr = (struct ip6_frag_hdr *) p->payload;