Networking: In both IPv6 and IPv4 incoming logic: (1) Should check if the packet size is large enough before trying to access the packet length in the IP header. (2) In the comparison between the IP length and the full packet length, need to subtract the size of the link layer header before making the comparison or we will get false positives (i.e., the packet is really too small).

This commit is contained in:
Gregory Nutt 2016-06-09 13:16:47 -06:00
parent df5a2105cd
commit a81a467a40
2 changed files with 24 additions and 16 deletions

View File

@ -116,10 +116,6 @@
#define TCP_REASS_BUFSIZE (NET_DEV_MTU(dev) - NET_LL_HDRLEN(dev))
#define TCP_REASS_LASTFRAG 0x01
/****************************************************************************
* Public Data
****************************************************************************/
/****************************************************************************
* Private Data
****************************************************************************/
@ -323,6 +319,7 @@ nullreturn:
int ipv4_input(FAR struct net_driver_s *dev)
{
FAR struct ipv4_hdr_s *pbuf = BUF;
uint16_t hdrlen;
uint16_t iplen;
/* This is where the input processing starts. */
@ -346,6 +343,17 @@ int ipv4_input(FAR struct net_driver_s *dev)
goto drop;
}
/* Get the size of the packet minus the size of link layer header */
hdrlen = NET_LL_HDRLEN(dev);
if ((hdrlen + IPv4_HDRLEN) > dev->d_len)
{
nlldbg("Packet shorter than IPv4 header\n");
goto drop;
}
dev->d_len -= hdrlen;
/* Check the size of the packet. If the size reported to us in d_len is
* smaller the size reported in the IP header, we assume that the packet
* has been corrupted in transit. If the size of d_len is larger than the

View File

@ -108,18 +108,6 @@
#define IPv6BUF ((FAR struct ipv6_hdr_s *)&dev->d_buf[NET_LL_HDRLEN(dev)])
/****************************************************************************
* Public Data
****************************************************************************/
/****************************************************************************
* Private Data
****************************************************************************/
/****************************************************************************
* Private Functions
****************************************************************************/
/****************************************************************************
* Public Functions
****************************************************************************/
@ -142,6 +130,7 @@
int ipv6_input(FAR struct net_driver_s *dev)
{
FAR struct ipv6_hdr_s *ipv6 = IPv6BUF;
uint16_t hdrlen;
uint16_t pktlen;
/* This is where the input processing starts. */
@ -166,6 +155,17 @@ int ipv6_input(FAR struct net_driver_s *dev)
goto drop;
}
/* Get the size of the packet minus the size of link layer header */
hdrlen = NET_LL_HDRLEN(dev);
if ((hdrlen + IPv6_HDRLEN) > dev->d_len)
{
nlldbg("Packet shorter than IPv6 header\n");
goto drop;
}
dev->d_len -= hdrlen;
/* Check the size of the packet. If the size reported to us in d_len is
* smaller the size reported in the IP header, we assume that the packet
* has been corrupted in transit. If the size of d_len is larger than the