[PATCH 1/2] net: ipv6: router advertisement message length should be within limits

Vyacheslav V. Mitrofanov v.v.mitrofanov at yadro.com
Fri May 19 09:09:36 CEST 2023


On Thu, 2023-05-18 at 11:24 -0700, emohandesi at linux.microsoft.com
wrote:
> 
> From: Ehsan Mohandesi <emohandesi at linux.microsoft.com>
> 
> The argument len passed to function process_ra is the length of the
> IPv6
> router advertisement message and needs to be between 0 and MTU
> because
> it is assigned to remaining_option_len and used as a loop variable.
> 
> Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR")
> Signed-off-by: Ehsan Mohandesi <emohandesi at linux.microsoft.com>
> ---
>  net/ndisc.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/ndisc.c b/net/ndisc.c
> index 0b27779..d1cec06 100644
> --- a/net/ndisc.c
> +++ b/net/ndisc.c
> @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len)
>         unsigned char type = 0;
>         struct icmp6_ra_prefix_info *prefix = NULL;
> 
> +       if (len > ETH_MAX_MTU)
> +               return -EMSGSIZE;
>         /* Ignore the packet if router lifetime is 0. */
>         if (!icmp->icmp6_rt_lifetime)
>                 return -EOPNOTSUPP;
> --
> 1.8.3.1
> 
> 
Reviewed-by: Viacheslav Mitrofanov <v.v.mitrofanov at yadro.com>


More information about the U-Boot mailing list