26 May
2022
26 May
'22
2:13 p.m.
Hi Ramon,
On Wed, May 25, 2022 at 11:46 PM Ramon Fried rfried.dev@gmail.com wrote:
Hi Nicolas, Thanks for the research. I have read your description thoroughly, very interesting. I will implement fixes to the findings.
Is it enough to add the check below?
--- a/net/net.c +++ b/net/net.c @@ -906,6 +906,9 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) uchar *indata = (uchar *)ip; int offset8, start, len, done = 0; u16 ip_off = ntohs(ip->ip_off); + + if (ip->ip_len < 28) + return NULL;
/* payload starts after IP header, this fragment is in there */ payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);