diff options
author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2020-07-07 17:12:25 +0000 |
---|---|---|
committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2020-07-07 17:12:25 +0000 |
commit | ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347 (patch) | |
tree | d2a71e28196149914274a286841d33a7151c91e6 | |
parent | d877d74bea1b0c5680213ecd53fa630f6a8b1aba (diff) | |
parent | f1941d6da6cade08f47153224304183df66b6199 (diff) | |
download | slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.zip slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.gz slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.bz2 |
Merge branch 'ip6_payload_len' into 'master'
Drop bogus IPv6 messages
See merge request slirp/libslirp!44
-rw-r--r-- | src/ip6_input.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/ip6_input.c b/src/ip6_input.c index dfcbfd6..a83e4f8 100644 --- a/src/ip6_input.c +++ b/src/ip6_input.c @@ -44,11 +44,18 @@ void ip6_input(struct mbuf *m) goto bad; } - if (ntohs(ip6->ip_pl) > slirp->if_mtu) { + if (ntohs(ip6->ip_pl) + sizeof(struct ip6) > slirp->if_mtu) { icmp6_send_error(m, ICMP6_TOOBIG, 0); goto bad; } + // Check if the message size is big enough to hold what's + // set in the payload length header. If not this is an invalid + // packet + if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { + goto bad; + } + /* check ip_ttl for a correct ICMP reply */ if (ip6->ip_hl == 0) { icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); |