From: Yoann Desmouceaux <ydesmouc@cisco.com>
Date: Mon, 11 Apr 2016 08:38:23 +0000 (+0200)
Subject: Fix possible infinite loop in IPv6 hop-by-hop header parsing
X-Git-Tag: v16.06-rc1~173
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F32%2F732%2F2;p=vpp.git

Fix possible infinite loop in IPv6 hop-by-hop header parsing

Unknown hop-by-hop options are currently not processed, which triggers an
infinite loop due to the pointer not advancing further in the header.

Change-Id: Idf9176090e042b17aac1baa25a6cb4beb8c199d8
Signed-off-by: Yoann Desmouceaux <ydesmouc@cisco.com>
---

diff --git a/vnet/vnet/ip/ip6_hop_by_hop.c b/vnet/vnet/ip/ip6_hop_by_hop.c
index 74f79506007..bd96c9b0a28 100644
--- a/vnet/vnet/ip/ip6_hop_by_hop.c
+++ b/vnet/vnet/ip/ip6_hop_by_hop.c
@@ -429,6 +429,12 @@ ip6_hop_by_hop_node_fn (vlib_main_t * vm,
                 case 0: /* Pad */
                   opt0 = (ip6_hop_by_hop_option_t *) ((u8 *)opt0) + 1;
                   goto out0;
+
+                default:
+                  opt0 = (ip6_hop_by_hop_option_t *)
+                  (((u8 *)opt0) + opt0->length
+                  + sizeof (ip6_hop_by_hop_option_t));
+                  break;
                 }
             }