From 755042dec0fcc733d456adc2a74042c529eff039 Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Wed, 1 Dec 2021 10:14:38 +0000
Subject: [PATCH] ip: reassembly: drop zero length fragments

Zero length fragments are invalid and should be dropped. This patch adds
that.

Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/vnet/ip/ip6_error.h            |  1 +
 src/vnet/ip/reass/ip6_full_reass.c |  8 ++++++++
 src/vnet/ip/reass/ip6_sv_reass.c   |  8 ++++++++
 test/test_reassembly.py            | 18 ++++++++++++++++++
 4 files changed, 35 insertions(+)

diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 8546b4af8d3..6e5df0ef6ba 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h
@@ -89,6 +89,7 @@
   _ (REASS_NO_BUF, "out of buffers (drop)")                             \
   _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout")      \
   _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")    \
+  _ (REASS_INVALID_FRAG_LEN, "invalid fragment length")    \
   _ (REASS_UNSUPP_IP_PROTO, "unsupported ip protocol")
 
 // clang-format on
diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c
index fc7fa180ab0..c9509e3345e 100644
--- a/src/vnet/ip/reass/ip6_full_reass.c
+++ b/src/vnet/ip/reass/ip6_full_reass.c
@@ -41,6 +41,7 @@ typedef enum
   IP6_FULL_REASS_RC_TOO_MANY_FRAGMENTS,
   IP6_FULL_REASS_RC_NO_BUF,
   IP6_FULL_REASS_RC_HANDOFF,
+  IP6_FULL_REASS_RC_INVALID_FRAG_LEN,
 } ip6_full_reass_rc_t;
 
 typedef struct
@@ -888,6 +889,10 @@ ip6_full_reass_update (vlib_main_t *vm, vlib_node_runtime_t *node,
   u32 fragment_length =
     vlib_buffer_length_in_chain (vm, fb) -
     (fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr));
+  if (0 == fragment_length)
+    {
+      return IP6_FULL_REASS_RC_INVALID_FRAG_LEN;
+    }
   u32 fragment_last = fvnb->ip.reass.fragment_last =
     fragment_first + fragment_length - 1;
   int more_fragments = ip6_frag_hdr_more (frag_hdr);
@@ -1207,6 +1212,9 @@ ip6_full_reassembly_inline (vlib_main_t * vm,
 		case IP6_FULL_REASS_RC_INTERNAL_ERROR:
 		  counter = IP6_ERROR_REASS_INTERNAL_ERROR;
 		  break;
+		case IP6_FULL_REASS_RC_INVALID_FRAG_LEN:
+		  counter = IP6_ERROR_REASS_INVALID_FRAG_LEN;
+		  break;
 		}
 	      if (~0 != counter)
 		{
diff --git a/src/vnet/ip/reass/ip6_sv_reass.c b/src/vnet/ip/reass/ip6_sv_reass.c
index 3656c5a8f61..58c7d8d8433 100644
--- a/src/vnet/ip/reass/ip6_sv_reass.c
+++ b/src/vnet/ip/reass/ip6_sv_reass.c
@@ -41,6 +41,7 @@ typedef enum
   IP6_SV_REASS_RC_TOO_MANY_FRAGMENTS,
   IP6_SV_REASS_RC_INTERNAL_ERROR,
   IP6_SV_REASS_RC_UNSUPP_IP_PROTO,
+  IP6_SV_REASS_RC_INVALID_FRAG_LEN,
 } ip6_sv_reass_rc_t;
 
 typedef struct
@@ -400,6 +401,10 @@ ip6_sv_reass_update (vlib_main_t *vm, vlib_node_runtime_t *node,
   u32 fragment_length =
     vlib_buffer_length_in_chain (vm, fb) -
     (fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr));
+  if (0 == fragment_length)
+    {
+      return IP6_SV_REASS_RC_INVALID_FRAG_LEN;
+    }
   u32 fragment_last = fvnb->ip.reass.fragment_last =
     fragment_first + fragment_length - 1;
   fvnb->ip.reass.range_first = fragment_first;
@@ -667,6 +672,9 @@ ip6_sv_reassembly_inline (vlib_main_t * vm,
 	    case IP6_SV_REASS_RC_INTERNAL_ERROR:
 	      counter = IP6_ERROR_REASS_INTERNAL_ERROR;
 	      break;
+	    case IP6_SV_REASS_RC_INVALID_FRAG_LEN:
+	      counter = IP6_ERROR_REASS_INVALID_FRAG_LEN;
+	      break;
 	    }
 	  if (~0 != counter)
 	    {
diff --git a/test/test_reassembly.py b/test/test_reassembly.py
index bd622a94794..faec5f42c30 100644
--- a/test/test_reassembly.py
+++ b/test/test_reassembly.py
@@ -1392,6 +1392,15 @@ class TestIPv6Reassembly(VppTestCase):
         self.assertIn(ICMPv6ParamProblem, icmp)
         self.assert_equal(icmp[ICMPv6ParamProblem].code, 3, "ICMP code")
 
+    def test_truncated_fragment(self):
+        """ truncated fragment """
+        pkt = (Ether(src=self.pg0.local_mac, dst=self.pg0.remote_mac) /
+               IPv6(src=self.pg0.remote_ip6, dst=self.pg0.local_ip6,
+                    nh=44, plen=2) /
+               IPv6ExtHdrFragment(nh=6))
+
+        self.send_and_assert_no_replies(self.pg0, [pkt], self.pg0)
+
     def test_invalid_frag_size(self):
         """ fragment size not a multiple of 8 """
         p = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) /
@@ -1917,6 +1926,15 @@ class TestIPv6SVReassembly(VppTestCase):
                IPv6ExtHdrFragment(id=1)/ICMPv6EchoRequest())
         rx = self.send_and_expect(self.src_if, [pkt], self.dst_if)
 
+    def test_truncated_fragment(self):
+        """ truncated fragment """
+        pkt = (Ether(src=self.pg0.local_mac, dst=self.pg0.remote_mac) /
+               IPv6(src=self.pg0.remote_ip6, dst=self.pg0.local_ip6,
+                    nh=44, plen=2) /
+               IPv6ExtHdrFragment(nh=6))
+
+        self.send_and_assert_no_replies(self.pg0, [pkt], self.pg0)
+
 
 class TestIPv4ReassemblyLocalNode(VppTestCase):
     """ IPv4 Reassembly for packets coming to ip4-local node """
-- 
2.16.6