Merge pull request #813 from nvt/fix-header-processing
Avoid integer overflows in the processing of IPv6 extension header options.
This commit is contained in:
commit
ea6c68880a
@ -824,13 +824,13 @@ ext_hdr_options_process(uint8_t *ext_buf)
|
|||||||
* 8 bytes, excluding the first 8 bytes
|
* 8 bytes, excluding the first 8 bytes
|
||||||
* length field in an option : the length of data in the option
|
* length field in an option : the length of data in the option
|
||||||
*/
|
*/
|
||||||
uint8_t opt_offset = 2; /* 2 first bytes in ext header */
|
uint16_t opt_offset = 2; /* 2 first bytes in ext header */
|
||||||
struct uip_hbho_hdr *ext_hdr = (struct uip_hbho_hdr *)ext_buf;
|
struct uip_hbho_hdr *ext_hdr = (struct uip_hbho_hdr *)ext_buf;
|
||||||
uint8_t ext_hdr_len = (ext_hdr->len << 3) + 8;
|
uint16_t ext_hdr_len = (ext_hdr->len << 3) + 8;
|
||||||
|
|
||||||
while(opt_offset + 2 <= ext_hdr_len) { /* + 2 for opt header */
|
while(opt_offset + 2 <= ext_hdr_len) { /* + 2 for opt header */
|
||||||
struct uip_ext_hdr_opt *opt_hdr = (struct uip_ext_hdr_opt *)(ext_buf + opt_offset);
|
struct uip_ext_hdr_opt *opt_hdr = (struct uip_ext_hdr_opt *)(ext_buf + opt_offset);
|
||||||
uint8_t opt_len = opt_hdr->len + 2;
|
uint16_t opt_len = opt_hdr->len + 2;
|
||||||
|
|
||||||
if(opt_offset + opt_len > ext_hdr_len) {
|
if(opt_offset + opt_len > ext_hdr_len) {
|
||||||
LOG_ERR("RPL Option too long: Dropping Packet\n");
|
LOG_ERR("RPL Option too long: Dropping Packet\n");
|
||||||
|
Loading…
Reference in New Issue
Block a user