Fix possible infinite loop in IPv6 hop-by-hop header parsing

Unknown hop-by-hop options are currently not processed, which triggers an
infinite loop due to the pointer not advancing further in the header.

Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>

diff --git a/vnet/vnet/ip/ip6_hop_by_hop.c b/vnet/vnet/ip/ip6_hop_by_hop.c
index 74f7950..bd96c9b 100644 (file)
--- a/vnet/vnet/ip/ip6_hop_by_hop.c
+++ b/vnet/vnet/ip/ip6_hop_by_hop.c
@@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm,
                 case 0: /* Pad */
                   opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1;
                   goto out0;
+
+                default:
+                  opt0 = (ip6_hop_by_hop_option_t *)
+                  (((u8 *)opt0) + opt0->length
+                  + sizeof (ip6_hop_by_hop_option_t));
+                  break;
                 }
             }