RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-18 12:52:44 +01:00
Code Releases Activity

gnrc_ipv6: discard non-NONXT packets with 0 payload length

Browse Source 
If the payload length is zero and the next header field is not set to
NONXT, GNRC will interpret the current header as the payload because the
first snip is always interpreted as the payload. This can lead to loops
and or crashes.
This commit is contained in:
Robin Nehls 2018-04-03 18:18:58 +02:00
parent 77ad70ebb6
commit ad5617fb83
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
View File

@ -784,13 +784,20 @@ static void _receive(gnrc_pktsnip_t *pkt)
/* extract header */
hdr = (ipv6_hdr_t *)ipv6->data;
uint16_t ipv6_len = byteorder_ntohs(hdr->len);
if ((ipv6_len == 0) && (hdr->nh != PROTNUM_IPV6_NONXT)) {
/* this doesn't even make sense */
DEBUG("ipv6: payload length 0, but next header not NONXT\n");
gnrc_pktbuf_release(pkt);
return;
}
/* if available, remove any padding that was added by lower layers
* to fulfill their minimum size requirements (e.g. ethernet) */
if ((ipv6 != pkt) && (byteorder_ntohs(hdr->len) < pkt->size)) {
else if ((ipv6 != pkt) && (ipv6_len < pkt->size)) {
gnrc_pktbuf_realloc_data(pkt, byteorder_ntohs(hdr->len));
}
else if (byteorder_ntohs(hdr->len) >
(gnrc_pkt_len_upto(pkt, GNRC_NETTYPE_IPV6) - sizeof(ipv6_hdr_t))) {
else if (ipv6_len > (gnrc_pkt_len_upto(pkt, GNRC_NETTYPE_IPV6) - sizeof(ipv6_hdr_t))) {
DEBUG("ipv6: invalid payload length: %d, actual: %d, dropping packet\n",
(int) byteorder_ntohs(hdr->len),
(int) (gnrc_pkt_len_upto(pkt, GNRC_NETTYPE_IPV6) - sizeof(ipv6_hdr_t)));