Merge branch 'ip6_payload_len' into 'master'

Drop bogus IPv6 messages See merge request slirp/libslirp!44
author: Samuel Thibault <samuel.thibault@ens-lyon.org> 2020-07-07 17:12:25 +0000
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2020-07-07 17:12:25 +0000
commit: ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347 (patch)
tree: d2a71e28196149914274a286841d33a7151c91e6
parent: d877d74bea1b0c5680213ecd53fa630f6a8b1aba (diff)
parent: f1941d6da6cade08f47153224304183df66b6199 (diff)
download: slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.zip
slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.gz
slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.bz2
1 files changed, 8 insertions, 1 deletions
diff --git a/src/ip6_input.c b/src/ip6_input.c
index dfcbfd6..a83e4f8 100644
--- a/src/ip6_input.c
+++ b/src/ip6_input.c
@@ -44,11 +44,18 @@ void ip6_input(struct mbuf *m)
         goto bad;
     }
 
-    if (ntohs(ip6->ip_pl) > slirp->if_mtu) {
+    if (ntohs(ip6->ip_pl) + sizeof(struct ip6) > slirp->if_mtu) {
         icmp6_send_error(m, ICMP6_TOOBIG, 0);
         goto bad;
     }
 
+    // Check if the message size is big enough to hold what's
+    // set in the payload length header. If not this is an invalid
+    // packet
+    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+        goto bad;
+    }
+
     /* check ip_ttl for a correct ICMP reply */
     if (ip6->ip_hl == 0) {
         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
author	Samuel Thibault <samuel.thibault@ens-lyon.org>	2020-07-07 17:12:25 +0000
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2020-07-07 17:12:25 +0000
commit	ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347 (patch)
tree	d2a71e28196149914274a286841d33a7151c91e6
parent	d877d74bea1b0c5680213ecd53fa630f6a8b1aba (diff)
parent	f1941d6da6cade08f47153224304183df66b6199 (diff)
download	slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.zip slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.gz slirp-ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347.tar.bz2