[PATCH 1/2] net: ipv6: router advertisement message length should be within limits
emohandesi at linux.microsoft.com
emohandesi at linux.microsoft.com
Thu May 18 20:24:38 CEST 2023
From: Ehsan Mohandesi <emohandesi at linux.microsoft.com>
The argument len passed to function process_ra is the length of the IPv6
router advertisement message and needs to be between 0 and MTU because
it is assigned to remaining_option_len and used as a loop variable.
Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR")
Signed-off-by: Ehsan Mohandesi <emohandesi at linux.microsoft.com>
---
net/ndisc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ndisc.c b/net/ndisc.c
index 0b27779..d1cec06 100644
--- a/net/ndisc.c
+++ b/net/ndisc.c
@@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len)
unsigned char type = 0;
struct icmp6_ra_prefix_info *prefix = NULL;
+ if (len > ETH_MAX_MTU)
+ return -EMSGSIZE;
/* Ignore the packet if router lifetime is 0. */
if (!icmp->icmp6_rt_lifetime)
return -EOPNOTSUPP;
--
1.8.3.1
More information about the U-Boot
mailing list