IPv6 frag: avoid overflow while parsing extension headers

A malicious packet could advertise an extension header length bigger than
the actual packet length, which would cause an overflow.

Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>

diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c
index 5437c26..38befc2 100644 (file)
--- a/vnet/vnet/ip/ip_frag.c
+++ b/vnet/vnet/ip/ip_frag.c
@@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err
     payload += payload[1] * 8;
   }
 
+  if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+       //A malicious packet could set an extension header with a too big size
+       //and make us modify another vlib_buffer
+       *error = IP6_ERROR_TOO_SHORT;
+       return;
+  }
+
   u8 has_more;
   u16 initial_offset;
   if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {