[lng-odp] [PATCH API-NEXT v15 10/14] linux-gen: ipsec: validate ip header total length

Sun, 12 Nov 2017 18:14:05 -0800 

From: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org>

Check that IP packet length from the header is not bogus.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org>
---
/** Email created from pull request 243 (lumag:ipsec-packet-impl-3)
 ** https://github.com/Linaro/odp/pull/243
 ** Patch: https://github.com/Linaro/odp/pull/243.patch
 ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969
 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072
 **/
 platform/linux-generic/odp_ipsec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/platform/linux-generic/odp_ipsec.c 
b/platform/linux-generic/odp_ipsec.c
index 61f2dc51d..400ef2958 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -286,6 +286,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 
        ipsec_offset = ip_offset + ip_hdr_len;
 
+       if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) {
+               status->error.alg = 1;
+               goto err;
+       }
+
        if (_ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) {
                status->error.proto = 1;
                goto err;
@@ -634,6 +639,11 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
                goto err;
        }
 
+       if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) {
+               status->error.alg = 1;
+               goto err;
+       }
+
        if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) {
                _odp_ipv4hdr_t out_ip;
                uint16_t tot_len;

Reply via email to