espressif/esp-lwip
1
0
Fork 0
mirror of https://github.com/espressif/esp-lwip.git synced 2026-06-05 21:04:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "nd6.c: Fix out of bound reads in nd6_input(). The fix checks if the length has a valid lower bound."

Browse Source 
This reverts commit 7a7568d6c4.

bugfix for ipv6 check ns na packet length
This commit is contained in:
xueyunfei
2020-12-21 10:52:30 +08:00
parent 93ee5e5301
commit 2acf959a2b
1 changed files with 1 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/core/ipv6/nd6.c
+1 -21
View File
@@ -204,12 +204,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
#endif
/* @todo debug message */
pbuf_free(p);
ND6_STATS_INC(nd6.lenerr);
@@ -256,12 +251,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
#endif
/* @todo debug message */
pbuf_free(p);
ND6_STATS_INC(nd6.lenerr);
@@ -298,18 +288,13 @@ nd6_input(struct pbuf *p, struct netif *inp)
ND6_STATS_INC(nd6.drop);
return;
}
ns_hdr = (struct ns_header *)p->payload;
/* Check if there is a link-layer address provided. Only point to it if in this buffer. */
if (p->len >= (sizeof(struct ns_header) + 2)) {
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct ns_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct ns_header) + (lladdr_opt->length << 3))) {
#endif
lladdr_opt = NULL;
}
} else {
@@ -640,12 +625,7 @@ nd6_input(struct pbuf *p, struct netif *inp)
if (p->len >= (sizeof(struct redirect_header) + 2)) {
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct redirect_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct redirect_header) + (lladdr_opt->length << 3))) {
#endif
lladdr_opt = NULL;
}
} else {