espressif/esp-lwip
1
0
Fork 0
mirror of https://github.com/espressif/esp-lwip.git synced 2026-06-05 21:04:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

nd6.c: Fix out of bound reads in nd6_input(). The fix checks if the length has a valid lower bound.

Browse Source
This commit is contained in:
kewal shah
2020-11-09 12:25:32 +05:30
committed by Mahavir Jain
parent db160dc329
commit 7a7568d6c4
1 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/core/ipv6/nd6.c
+21 -1
View File
@@ -204,7 +204,12 @@ nd6_input(struct pbuf *p, struct netif *inp)
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
#endif
/* @todo debug message */
pbuf_free(p);
ND6_STATS_INC(nd6.lenerr);
@@ -251,7 +256,12 @@ nd6_input(struct pbuf *p, struct netif *inp)
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct na_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3))) {
#endif
/* @todo debug message */
pbuf_free(p);
ND6_STATS_INC(nd6.lenerr);
@@ -288,13 +298,18 @@ nd6_input(struct pbuf *p, struct netif *inp)
ND6_STATS_INC(nd6.drop);
return;
}
ns_hdr = (struct ns_header *)p->payload;
/* Check if there is a link-layer address provided. Only point to it if in this buffer. */
if (p->len >= (sizeof(struct ns_header) + 2)) {
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct ns_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct ns_header) + (lladdr_opt->length << 3))) {
#endif
lladdr_opt = NULL;
}
} else {
@@ -625,7 +640,12 @@ nd6_input(struct pbuf *p, struct netif *inp)
if (p->len >= (sizeof(struct redirect_header) + 2)) {
lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct redirect_header));
#ifdef ESP_LWIP
if (p->len < (sizeof(struct na_header) + (lladdr_opt->length << 3)) || (lladdr_opt->length < 2)
|| (lladdr_opt->length - 2) << 3 < inp->hwaddr_len) {
#else
if (p->len < (sizeof(struct redirect_header) + (lladdr_opt->length << 3))) {
#endif
lladdr_opt = NULL;
}
} else {