summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2021-10-26 15:20:07 -0700
committergVisor bot <gvisor-bot@google.com>2021-10-26 15:23:34 -0700
commitf54a25c1f03e705f2fb65be7389ddeb37bc5e64e (patch)
tree6509135bafd1c73833372a57e2b50defa5d0a88f
parent722d7ca744db6aab442bc71bb50b64599c8fa522 (diff)
Validate an icmp header before accessing it
A header can't be smaller than header.ICMPv4MinimumSize. Reported-by: syzbot+57b68b14b4f6a58bf985@syzkaller.appspotmail.com PiperOrigin-RevId: 405748438
-rw-r--r--pkg/tcpip/network/ipv4/icmp.go4
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go
index 3eff0bbd8..59acbad02 100644
--- a/pkg/tcpip/network/ipv4/icmp.go
+++ b/pkg/tcpip/network/ipv4/icmp.go
@@ -572,6 +572,10 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
// if problems arise this could be reversed. It was judged less of a breach
// of protocol to not respond to unknown non-error packets than to respond
// to unknown error packets so we take the first approach.
+ if len(transportHeader) < header.ICMPv4MinimumSize {
+ // The packet is malformed.
+ return nil
+ }
switch header.ICMPv4(transportHeader).Type() {
case
header.ICMPv4EchoReply,