diff options
| author | Andrei Vagin <avagin@google.com> | 2021-10-26 15:20:07 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-10-26 15:23:34 -0700 |
| commit | f54a25c1f03e705f2fb65be7389ddeb37bc5e64e (patch) | |
| tree | 6509135bafd1c73833372a57e2b50defa5d0a88f | |
| parent | 722d7ca744db6aab442bc71bb50b64599c8fa522 (diff) | |
Validate an icmp header before accessing it
A header can't be smaller than header.ICMPv4MinimumSize.
Reported-by: syzbot+57b68b14b4f6a58bf985@syzkaller.appspotmail.com
PiperOrigin-RevId: 405748438
| -rw-r--r-- | pkg/tcpip/network/ipv4/icmp.go | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go index 3eff0bbd8..59acbad02 100644 --- a/pkg/tcpip/network/ipv4/icmp.go +++ b/pkg/tcpip/network/ipv4/icmp.go @@ -572,6 +572,10 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip // if problems arise this could be reversed. It was judged less of a breach // of protocol to not respond to unknown non-error packets than to respond // to unknown error packets so we take the first approach. + if len(transportHeader) < header.ICMPv4MinimumSize { + // The packet is malformed. + return nil + } switch header.ICMPv4(transportHeader).Type() { case header.ICMPv4EchoReply, |