From f54a25c1f03e705f2fb65be7389ddeb37bc5e64e Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@google.com>
Date: Tue, 26 Oct 2021 15:20:07 -0700
Subject: Validate an icmp header before accessing it

A header can't be smaller than header.ICMPv4MinimumSize.

Reported-by: syzbot+57b68b14b4f6a58bf985@syzkaller.appspotmail.com
PiperOrigin-RevId: 405748438
---
 pkg/tcpip/network/ipv4/icmp.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'pkg')

diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go
index 3eff0bbd8..59acbad02 100644
--- a/pkg/tcpip/network/ipv4/icmp.go
+++ b/pkg/tcpip/network/ipv4/icmp.go
@@ -572,6 +572,10 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 		// if problems arise this could be reversed. It was judged less of a breach
 		// of protocol to not respond to unknown non-error packets than to respond
 		// to unknown error packets so we take the first approach.
+		if len(transportHeader) < header.ICMPv4MinimumSize {
+			// The packet is malformed.
+			return nil
+		}
 		switch header.ICMPv4(transportHeader).Type() {
 		case
 			header.ICMPv4EchoReply,
-- 
cgit v1.2.3