A malicious packet could advertise an extension header length bigger than
the actual packet length, which would cause an overflow.
Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
payload += payload[1] * 8;
}
+ if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+ //A malicious packet could set an extension header with a too big size
+ //and make us modify another vlib_buffer
+ *error = IP6_ERROR_TOO_SHORT;
+ return;
+ }
+
u8 has_more;
u16 initial_offset;
if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {