zhhyu7 opened a new pull request, #17917:
URL: https://github.com/apache/nuttx/pull/17917
## Summary
This PR adds validation for IPv4 option lengths during packet processing to
prevent malformed packets from causing undefined behavior or potential security
issues.
### Problem
Currently, NuttX's IPv4 input processing does not validate the length field
of IP options before processing them. This can lead to:
- Out-of-bounds memory access when processing malformed packets
- Undefined behavior if option length field is invalid
- Potential security vulnerabilities from specially crafted packets
### Solution
This patch introduces a new `ipv4_check_opt()` function that validates IPv4
option lengths before processing. The function:
- Checks that option lengths are within the bounds of the IP header
- Properly handles special option types (END and NOOP)
- Returns an error for malformed options
- Is only compiled when `CONFIG_DEBUG_FEATURES` is enabled
Additionally, the header length check is improved to use the actual header
length from the IP header instead of assuming the minimum length.
### Changes
1. Add `ipv4_check_opt()` function to validate option lengths
2. Call validation function during packet processing (when debug is enabled)
3. Improve initial header length check to use actual header length
4. Add proper error handling and statistics tracking
## Impact
**Stability**: Positive - Prevents potential crashes from malformed packets
with invalid option lengths.
**Security**: Positive - Mitigates potential security issues from specially
crafted packets.
**Performance**: Minimal - Validation only runs when `CONFIG_DEBUG_FEATURES`
is enabled.
**Compatibility**: No breaking changes - Only adds additional validation.
**Code Quality**: Positive - Improves input validation and error handling.
## Testing
### Test Configuration
- **Host OS**: Ubuntu 22.04 x86_64
- **Target**: sim:nsh (x86_64 simulator)
- **NuttX Config**: `CONFIG_DEBUG_FEATURES=y`, `CONFIG_NET=y`,
`CONFIG_NET_IPv4=y`
Verification Checklist
Code compiles without warnings
Normal IPv4 packets processed correctly
Malformed packets with invalid option lengths are detected and dropped
NOOP and END options handled correctly
No regression in existing functionality
Statistics properly updated on error
Debug output provides useful information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
