| Message ID | 1684434279-1065-2-git-send-email-emohandesi@linux.microsoft.com |
|---|---|
| State | Accepted |
| Commit | a29df56eab4ad7957649834c1120c69ce03115ee |
| Delegated to: | Ramon Fried |
| Headers | show |
| Series | IPv6 Network Discovery Boundary Variable and Packed Structure | expand |
On Thu, 2023-05-18 at 11:24 -0700, emohandesi@linux.microsoft.com wrote: > > From: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > > The argument len passed to function process_ra is the length of the > IPv6 > router advertisement message and needs to be between 0 and MTU > because > it is assigned to remaining_option_len and used as a loop variable. > > Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") > Signed-off-by: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > --- > net/ndisc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ndisc.c b/net/ndisc.c > index 0b27779..d1cec06 100644 > --- a/net/ndisc.c > +++ b/net/ndisc.c > @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len) > unsigned char type = 0; > struct icmp6_ra_prefix_info *prefix = NULL; > > + if (len > ETH_MAX_MTU) > + return -EMSGSIZE; > /* Ignore the packet if router lifetime is 0. */ > if (!icmp->icmp6_rt_lifetime) > return -EOPNOTSUPP; > -- > 1.8.3.1 > > Reviewed-by: Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com>
On Thu, May 18, 2023 at 9:24 PM <emohandesi@linux.microsoft.com> wrote: > > From: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > > The argument len passed to function process_ra is the length of the IPv6 > router advertisement message and needs to be between 0 and MTU because > it is assigned to remaining_option_len and used as a loop variable. > > Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") > Signed-off-by: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > --- > net/ndisc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ndisc.c b/net/ndisc.c > index 0b27779..d1cec06 100644 > --- a/net/ndisc.c > +++ b/net/ndisc.c > @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len) > unsigned char type = 0; > struct icmp6_ra_prefix_info *prefix = NULL; > > + if (len > ETH_MAX_MTU) > + return -EMSGSIZE; > /* Ignore the packet if router lifetime is 0. */ > if (!icmp->icmp6_rt_lifetime) > return -EOPNOTSUPP; > -- > 1.8.3.1 > Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
On Thu, May 18, 2023 at 11:24:38AM -0700, emohandesi@linux.microsoft.com wrote: > From: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > > The argument len passed to function process_ra is the length of the IPv6 > router advertisement message and needs to be between 0 and MTU because > it is assigned to remaining_option_len and used as a loop variable. > > Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") > Signed-off-by: Ehsan Mohandesi <emohandesi@linux.microsoft.com> > Reviewed-by: Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com> > Reviewed-by: Ramon Fried <rfried.dev@gmail.com> Applied to u-boot/master, thanks!
diff --git a/net/ndisc.c b/net/ndisc.c index 0b27779..d1cec06 100644 --- a/net/ndisc.c +++ b/net/ndisc.c @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len) unsigned char type = 0; struct icmp6_ra_prefix_info *prefix = NULL; + if (len > ETH_MAX_MTU) + return -EMSGSIZE; /* Ignore the packet if router lifetime is 0. */ if (!icmp->icmp6_rt_lifetime) return -EOPNOTSUPP;