From 2acf959a2bb559313cd2bf9306c24612ba3d0e19 Mon Sep 17 00:00:00 2001
From: xueyunfei <xueyunfei@espressif.com>
Date: Mon, 21 Dec 2020 10:52:30 +0800
Subject: [PATCH] Revert "nd6.c: Fix out of bound reads in nd6_input(). The fix
 checks if the length has a valid lower bound."

This reverts commit 7a7568d6c4a7d608ce602b0f13852d9984499c24.

bugfix for ipv6 check ns na packet length
---
 src/core/ipv6/nd6.c | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/src/core/ipv6/nd6.c b/src/core/ipv6/nd6.c
index 42045738..508ba4b2 100644
--- a/src/core/ipv6/nd6.c
+++ b/src/core/ipv6/nd6.c
@@ -204,12 +204,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
 
       lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
 
-#ifdef ESP_LWIP
-      if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
-        || (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
-#else
       if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
-#endif
         /* @todo debug message */
         pbuf_free(p);
         ND6_STATS_INC(nd6.lenerr);
@@ -256,12 +251,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
 
         lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
 
-#ifdef ESP_LWIP
-      if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
-        || (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
-#else
         if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
-#endif
           /* @todo debug message */
           pbuf_free(p);
           ND6_STATS_INC(nd6.lenerr);
@@ -298,18 +288,13 @@ nd6_input(struct pbuf *p, struct netif *inp)
       ND6_STATS_INC(nd6.drop);
       return;
     }
+
     ns_hdr = (struct ns_header *)p->payload;
 
     /* Check if there is a link-layer address provided. Only point to it if in this buffer. */
     if (p->len >= (sizeof(struct ns_header) + 2)) {
       lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct ns_header));
-#ifdef ESP_LWIP
-      if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
-        || (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
-#else
       if (p->len < (sizeof(struct ns_header) + (lladdr_opt->length << 3))) {
-
-#endif
         lladdr_opt = NULL;
       }
     } else {
@@ -640,12 +625,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
 
     if (p->len >= (sizeof(struct redirect_header) + 2)) {
       lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct redirect_header));
-#ifdef ESP_LWIP
-      if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
-        || (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
-#else
       if (p->len < (sizeof(struct redirect_header) + (lladdr_opt->length << 3))) {
-#endif
         lladdr_opt = NULL;
       }
     } else {