vnet: fix ip4 version and IHL check

Validate version and IHL regardless of present options.
Originally VPP would accept seriously damaged headers in case IHL != 5.

Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Ifd59622efa63dfad7f6e4858dec40ccac3274574

diff --git a/src/vnet/ip/ip.api b/src/vnet/ip/ip.api
index 23e094b..8a6ecc8 100644 (file)
--- a/src/vnet/ip/ip.api
+++ b/src/vnet/ip/ip.api
@@ -1020,6 +1020,12 @@ counters ip4 {
     units "packets";
     description "ip4 ttl <= 1";
   };
+  hdr_too_short {
+    severity error;
+    type counter64;
+    units "packets";
+    description "ip4 IHL < 5";
+  };
 
   /* Errors signalled by ip4-rewrite. */
   mtu_exceeded {

diff --git a/src/vnet/ip/ip4_input.h b/src/vnet/ip/ip4_input.h
index 57aef0b..d2ed13f 100644 (file)
--- a/src/vnet/ip/ip4_input.h
+++ b/src/vnet/ip/ip4_input.h
@@ -60,15 +60,17 @@ check_ver_opt_csum (ip4_header_t * ip, u8 * error, int verify_checksum)
 {
   if (PREDICT_FALSE (ip->ip_version_and_header_length != 0x45))
     {
-      if ((ip->ip_version_and_header_length & 0xf) != 5)
+      if ((ip->ip_version_and_header_length & 0xf0) != 0x40)
+       *error = IP4_ERROR_VERSION;
+      else if ((ip->ip_version_and_header_length & 0x0f) < 5)
+       *error = IP4_ERROR_HDR_TOO_SHORT;
+      else
        {
          *error = IP4_ERROR_OPTIONS;
          if (verify_checksum &&
              clib_ip_csum ((u8 *) ip, ip4_header_bytes (ip)) != 0)
            *error = IP4_ERROR_BAD_CHECKSUM;
        }
-      else
-       *error = IP4_ERROR_VERSION;
     }
   else if (PREDICT_FALSE (verify_checksum &&
                          clib_ip_csum ((u8 *) ip, sizeof (ip4_header_t)) !=