ip: reassembly: drop zero length fragments
Zero length fragments are invalid and should be dropped. This patch adds
that.
Type: improvement
Change-Id: Ic6466c39ca8bf376efe06bb3b7f5d7f1ae812866
Signed-off-by: Klement Sekera <ksekera@cisco.com>
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 8546b4a..6e5df0e 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h
@@ -89,6 +89,7 @@
_ (REASS_NO_BUF, "out of buffers (drop)") \
_ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout") \
_ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error") \
+ _ (REASS_INVALID_FRAG_LEN, "invalid fragment length") \
_ (REASS_UNSUPP_IP_PROTO, "unsupported ip protocol")
// clang-format on
diff --git a/src/vnet/ip/reass/ip6_full_reass.c b/src/vnet/ip/reass/ip6_full_reass.c
index fc7fa18..c9509e3 100644
--- a/src/vnet/ip/reass/ip6_full_reass.c
+++ b/src/vnet/ip/reass/ip6_full_reass.c
@@ -41,6 +41,7 @@
IP6_FULL_REASS_RC_TOO_MANY_FRAGMENTS,
IP6_FULL_REASS_RC_NO_BUF,
IP6_FULL_REASS_RC_HANDOFF,
+ IP6_FULL_REASS_RC_INVALID_FRAG_LEN,
} ip6_full_reass_rc_t;
typedef struct
@@ -888,6 +889,10 @@
u32 fragment_length =
vlib_buffer_length_in_chain (vm, fb) -
(fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr));
+ if (0 == fragment_length)
+ {
+ return IP6_FULL_REASS_RC_INVALID_FRAG_LEN;
+ }
u32 fragment_last = fvnb->ip.reass.fragment_last =
fragment_first + fragment_length - 1;
int more_fragments = ip6_frag_hdr_more (frag_hdr);
@@ -1207,6 +1212,9 @@
case IP6_FULL_REASS_RC_INTERNAL_ERROR:
counter = IP6_ERROR_REASS_INTERNAL_ERROR;
break;
+ case IP6_FULL_REASS_RC_INVALID_FRAG_LEN:
+ counter = IP6_ERROR_REASS_INVALID_FRAG_LEN;
+ break;
}
if (~0 != counter)
{
diff --git a/src/vnet/ip/reass/ip6_sv_reass.c b/src/vnet/ip/reass/ip6_sv_reass.c
index 3656c5a..58c7d8d 100644
--- a/src/vnet/ip/reass/ip6_sv_reass.c
+++ b/src/vnet/ip/reass/ip6_sv_reass.c
@@ -41,6 +41,7 @@
IP6_SV_REASS_RC_TOO_MANY_FRAGMENTS,
IP6_SV_REASS_RC_INTERNAL_ERROR,
IP6_SV_REASS_RC_UNSUPP_IP_PROTO,
+ IP6_SV_REASS_RC_INVALID_FRAG_LEN,
} ip6_sv_reass_rc_t;
typedef struct
@@ -400,6 +401,10 @@
u32 fragment_length =
vlib_buffer_length_in_chain (vm, fb) -
(fvnb->ip.reass.ip6_frag_hdr_offset + sizeof (*frag_hdr));
+ if (0 == fragment_length)
+ {
+ return IP6_SV_REASS_RC_INVALID_FRAG_LEN;
+ }
u32 fragment_last = fvnb->ip.reass.fragment_last =
fragment_first + fragment_length - 1;
fvnb->ip.reass.range_first = fragment_first;
@@ -667,6 +672,9 @@
case IP6_SV_REASS_RC_INTERNAL_ERROR:
counter = IP6_ERROR_REASS_INTERNAL_ERROR;
break;
+ case IP6_SV_REASS_RC_INVALID_FRAG_LEN:
+ counter = IP6_ERROR_REASS_INVALID_FRAG_LEN;
+ break;
}
if (~0 != counter)
{