net: ipv6: Check the size of the ICMPv6 echo-req packet

jukkar · jukkar · commit ad27d0e39edd · 2018-11-06T11:08:15.000+02:00
The minimum size is 8 bytes, drop packet if shorter. Fixes #10970 Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
diff --git a/subsys/net/ip/icmpv6.c b/subsys/net/ip/icmpv6.c
@@ -295,7 +295,7 @@ static enum net_verdict handle_echo_request(struct net_pkt *orig)
 	struct net_pkt *pkt;
 	struct net_buf *frag;
 	struct net_if *iface;
-	u16_t payload_len;
+	s16_t payload_len;
 	int ret;
 
 	NET_DBG("Received Echo Request from %s to %s",
@@ -304,13 +304,18 @@ static enum net_verdict handle_echo_request(struct net_pkt *orig)
 
 	iface = net_pkt_iface(orig);
 
+	payload_len = ntohs(NET_IPV6_HDR(orig)->len) -
+		net_pkt_ipv6_ext_len(orig) - NET_ICMPH_LEN;
+	if (payload_len < NET_ICMPV6_UNUSED_LEN) {
+		/* No identifier or sequence number present */
+		goto drop_no_pkt;
+	}
+
 	pkt = net_pkt_get_reserve_tx(0, PKT_WAIT_TIME);
 	if (!pkt) {
 		goto drop_no_pkt;
 	}
 
-	payload_len = ntohs(NET_IPV6_HDR(orig)->len) - sizeof(NET_ICMPH_LEN) -
-							NET_ICMPV6_UNUSED_LEN;
 	frag = net_pkt_copy_all(orig, 0, PKT_WAIT_TIME);
 	if (!frag) {
 		goto drop;
