Hi Ramon,

On Wed, May 25, 2022 at 11:46 PM Ramon Fried <rfried....@gmail.com> wrote:

> Hi Nicolas,
> Thanks for the research.
> I have read your description thoroughly, very interesting.
> I will implement fixes to the findings.

Is it enough to add the check below?

--- a/net/net.c
+++ b/net/net.c
@@ -906,6 +906,9 @@ static struct ip_udp_hdr *__net_defragment(struct
ip_udp_hdr *ip, int *lenp)
        uchar *indata = (uchar *)ip;
        int offset8, start, len, done = 0;
        u16 ip_off = ntohs(ip->ip_off);
+
+       if (ip->ip_len < 28)
+               return NULL;

        /* payload starts after IP header, this fragment is in there */
        payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);

Reply via email to