udp: validate input data length
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I3f34011ca61ded310d0411e7b50548982bd164ac
diff --git a/src/vnet/udp/udp_input.c b/src/vnet/udp/udp_input.c
index bd4e757..453e123 100644
--- a/src/vnet/udp/udp_input.c
+++ b/src/vnet/udp/udp_input.c
@@ -89,7 +89,7 @@
while (n_left_from > 0)
{
- u32 bi0, fib_index0;
+ u32 bi0, fib_index0, data_len;
vlib_buffer_t *b0;
u32 error0 = UDP_ERROR_ENQUEUED;
udp_header_t *udp0;
@@ -125,7 +125,8 @@
udp0->src_port, TRANSPORT_PROTO_UDP);
lcl_addr = &ip40->dst_address;
rmt_addr = &ip40->src_address;
-
+ data_len = clib_net_to_host_u16 (ip40->length);
+ data_len -= sizeof (ip4_header_t) + sizeof (udp_header_t);
}
else
{
@@ -135,6 +136,8 @@
udp0->src_port, TRANSPORT_PROTO_UDP);
lcl_addr = &ip60->dst_address;
rmt_addr = &ip60->src_address;
+ data_len = clib_net_to_host_u16 (ip60->payload_length);
+ data_len -= sizeof (udp_header_t);
}
if (PREDICT_FALSE (!s0))
@@ -228,12 +231,12 @@
if (svm_fifo_max_enqueue_prod (s0->rx_fifo)
- < b0->current_length + sizeof (session_dgram_hdr_t))
+ < data_len + sizeof (session_dgram_hdr_t))
{
error0 = UDP_ERROR_FIFO_FULL;
goto trace0;
}
- hdr0.data_length = b0->current_length;
+ hdr0.data_length = b0->current_length = data_len;
hdr0.data_offset = 0;
ip_set (&hdr0.lcl_ip, lcl_addr, is_ip4);
ip_set (&hdr0.rmt_ip, rmt_addr, is_ip4);