From: Yoann Desmouceaux <ydesmouc@cisco.com>
Date: Wed, 29 Jun 2016 16:30:29 +0000 (+0200)
Subject: IPv6 frag: avoid overflow while parsing extension headers
X-Git-Tag: v16.09-rc1~180
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=0557a91ca727cee963a8179808d2d2108564ec56;p=vpp.git

IPv6 frag: avoid overflow while parsing extension headers

A malicious packet could advertise an extension header length bigger than
the actual packet length, which would cause an overflow.

Change-Id: I277123e6fde6937b0170f2b2e33846bd22848ac4
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
---

diff --git a/vnet/vnet/ip/ip_frag.c b/vnet/vnet/ip/ip_frag.c
index 5437c265c95..38befc2b2ea 100644
--- a/vnet/vnet/ip/ip_frag.c
+++ b/vnet/vnet/ip/ip_frag.c
@@ -274,6 +274,13 @@ ip6_frag_do_fragment(vlib_main_t *vm, u32 pi, u32 **buffer, ip_frag_error_t *err
     payload += payload[1] * 8;
   }
 
+  if (PREDICT_FALSE(payload >= (u8 *)vlib_buffer_get_current(p) + p->current_length)) {
+	//A malicious packet could set an extension header with a too big size
+	//and make us modify another vlib_buffer
+	*error = IP6_ERROR_TOO_SHORT;
+	return;
+  }
+
   u8 has_more;
   u16 initial_offset;
   if (*next_header == IP_PROTOCOL_IPV6_FRAGMENTATION) {