About the 'length' field in ICMPv6 options,
RFC4861 says that "The value 0 is invalid".
This patch adds assertions to raise a exception
for such invalid ICMPv6 packets.
Signed-off-by: Satoshi Fujimoto <satoshi.fujimo...@gmail.com>
---
ryu/lib/packet/icmpv6.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ryu/lib/packet/icmpv6.py b/ryu/lib/packet/icmpv6.py
index 7608169..fe94c77 100644
--- a/ryu/lib/packet/icmpv6.py
+++ b/ryu/lib/packet/icmpv6.py
@@ -206,7 +206,9 @@ class nd_neighbor(stringify.StringifyMixin):
offset += cls._MIN_LEN
option = None
if len(buf) > offset:
- (type_, ) = struct.unpack_from('!B', buf, offset)
+ (type_, length) = struct.unpack_from('!BB', buf, offset)
+ if length == 0:
+ raise struct.error('Invalid length: {len}'.format(len=length))
cls_ = cls._ND_OPTION_TYPES.get(type_)
if cls_ is not None:
option = cls_.parser(buf, offset)
@@ -277,7 +279,9 @@ class nd_router_solicit(stringify.StringifyMixin):
offset += cls._MIN_LEN
option = None
if len(buf) > offset:
- (type_, ) = struct.unpack_from('!B', buf, offset)
+ (type_, length) = struct.unpack_from('!BB', buf, offset)
+ if length == 0:
+ raise struct.error('Invalid length: {len}'.format(len=length))
cls_ = cls._ND_OPTION_TYPES.get(type_)
if cls_ is not None:
option = cls_.parser(buf, offset)
@@ -359,6 +363,8 @@ class nd_router_advert(stringify.StringifyMixin):
options = []
while len(buf) > offset:
(type_, length) = struct.unpack_from('!BB', buf, offset)
+ if length == 0:
+ raise struct.error('Invalid length: {len}'.format(len=length))
cls_ = cls._ND_OPTION_TYPES.get(type_)
if cls_ is not None:
option = cls_.parser(buf, offset)
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
