diff options
| author | Satoshi Fujimoto <satoshi.fujimoto7@gmail.com> | 2017-08-02 15:01:02 +0900 |
|---|---|---|
| committer | FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> | 2017-08-04 21:11:49 +0900 |
| commit | 7f537c4185dd0ab5da58d00299aa61a6ccf63df3 (patch) | |
| tree | 8d908482013976a460a2cf0ef09c6ff38d25a0c9 | |
| parent | ee9a197dd6e7fd00858dbf50ba804c41d29e3625 (diff) | |
packet/icmpv6: Assert length in options are valid
About the 'length' field in ICMPv6 options,
RFC4861 says that "The value 0 is invalid".
This patch adds assertions to raise a exception
for such invalid ICMPv6 packets.
Reported-by: William Fisher <william.w.fisher@gmail.com>
Reported-by: Shivaram Mysore <shivaram.mysore@gmail.com>
Signed-off-by: Satoshi Fujimoto <satoshi.fujimoto7@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
| -rw-r--r-- | ryu/lib/packet/icmpv6.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ryu/lib/packet/icmpv6.py b/ryu/lib/packet/icmpv6.py index 7608169b..fe94c77f 100644 --- a/ryu/lib/packet/icmpv6.py +++ b/ryu/lib/packet/icmpv6.py @@ -206,7 +206,9 @@ class nd_neighbor(stringify.StringifyMixin): offset += cls._MIN_LEN option = None if len(buf) > offset: - (type_, ) = struct.unpack_from('!B', buf, offset) + (type_, length) = struct.unpack_from('!BB', buf, offset) + if length == 0: + raise struct.error('Invalid length: {len}'.format(len=length)) cls_ = cls._ND_OPTION_TYPES.get(type_) if cls_ is not None: option = cls_.parser(buf, offset) @@ -277,7 +279,9 @@ class nd_router_solicit(stringify.StringifyMixin): offset += cls._MIN_LEN option = None if len(buf) > offset: - (type_, ) = struct.unpack_from('!B', buf, offset) + (type_, length) = struct.unpack_from('!BB', buf, offset) + if length == 0: + raise struct.error('Invalid length: {len}'.format(len=length)) cls_ = cls._ND_OPTION_TYPES.get(type_) if cls_ is not None: option = cls_.parser(buf, offset) @@ -359,6 +363,8 @@ class nd_router_advert(stringify.StringifyMixin): options = [] while len(buf) > offset: (type_, length) = struct.unpack_from('!BB', buf, offset) + if length == 0: + raise struct.error('Invalid length: {len}'.format(len=length)) cls_ = cls._ND_OPTION_TYPES.get(type_) if cls_ is not None: option = cls_.parser(buf, offset) |