From bf4d126b811c6ad00068fd04af652c982dc289c1 Mon Sep 17 00:00:00 2001
From: Ole Troan <ot@cisco.com>
Date: Fri, 28 Sep 2018 14:27:24 +0200
Subject: [PATCH] IP ttl check in ip4-input missing for single packet path.

Change-Id: Idc17b2f8794d37cd3242a97395ab56bd633ca575
Signed-off-by: Ole Troan <ot@cisco.com>
---
 src/vnet/ip/ip4_input.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/vnet/ip/ip4_input.h b/src/vnet/ip/ip4_input.h
index 880896e6430..5df2154b2c3 100644
--- a/src/vnet/ip/ip4_input.h
+++ b/src/vnet/ip/ip4_input.h
@@ -290,6 +290,9 @@ ip4_input_check_x1 (vlib_main_t * vm,
 
   check_ver_opt_csum (ip0, &error0, verify_checksum);
 
+  if (PREDICT_FALSE (ip0->ttl < 1))
+    error0 = IP4_ERROR_TIME_EXPIRED;
+
   /* Drop fragmentation offset 1 packets. */
   error0 = ip4_get_fragment_offset (ip0) == 1 ?
     IP4_ERROR_FRAGMENT_OFFSET_ONE : error0;
-- 
2.16.6