Validate an icmp header before accessing it

A header can't be smaller than header.ICMPv4MinimumSize. Reported-by: syzbot+57b68b14b4f6a58bf985@syzkaller.appspotmail.com PiperOrigin-RevId: 405748438
author: Andrei Vagin <avagin@google.com> 2021-10-26 15:20:07 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-10-26 15:23:34 -0700
commit: f54a25c1f03e705f2fb65be7389ddeb37bc5e64e (patch)
tree: 6509135bafd1c73833372a57e2b50defa5d0a88f /pkg
parent: 722d7ca744db6aab442bc71bb50b64599c8fa522 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go
index 3eff0bbd8..59acbad02 100644
--- a/pkg/tcpip/network/ipv4/icmp.go
+++ b/pkg/tcpip/network/ipv4/icmp.go
@@ -572,6 +572,10 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 		// if problems arise this could be reversed. It was judged less of a breach
 		// of protocol to not respond to unknown non-error packets than to respond
 		// to unknown error packets so we take the first approach.
+		if len(transportHeader) < header.ICMPv4MinimumSize {
+			// The packet is malformed.
+			return nil
+		}
 		switch header.ICMPv4(transportHeader).Type() {
 		case
 			header.ICMPv4EchoReply,
author	Andrei Vagin <avagin@google.com>	2021-10-26 15:20:07 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-10-26 15:23:34 -0700
commit	f54a25c1f03e705f2fb65be7389ddeb37bc5e64e (patch)
tree	6509135bafd1c73833372a57e2b50defa5d0a88f /pkg
parent	722d7ca744db6aab442bc71bb50b64599c8fa522 (diff)