From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E4CACC77B7D for ; Thu, 18 May 2023 18:24:51 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B091F86124; Thu, 18 May 2023 20:24:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="QJ7Afbrw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 64F39862A7; Thu, 18 May 2023 20:24:48 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 2F14685845 for ; Thu, 18 May 2023 20:24:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=emohandesi@linux.microsoft.com Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id EE8FC20FB1A6; Thu, 18 May 2023 11:24:44 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EE8FC20FB1A6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1684434285; bh=IMnV5wvgNzOwpgnMU59rEs3ZDEdv0OzxmAzPsfglE/o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QJ7Afbrwh/wTMB1bvPjYNBvsHqUrsIt8+VKeXMRUFW8RekVpMNXP3GDnCBfL/wF0Y OcKdGzY/azPz7BiGYql0tQN8iqGIMPmqQRWyekSdkYt/TriF/WGPuChFBVEc+4GcZL L36OEK5EEFYnNhXMr8abG9MvH/C77meXVs/Jh3E8= From: emohandesi@linux.microsoft.com To: u-boot@lists.denx.de Cc: joe.hershberger@ni.com, rfried.dev@gmail.com, v.v.mitrofanov@yadro.com, sjg@chromium.org, emohandesi@linux.microsoft.com, saproj@gmail.com Subject: [PATCH 1/2] net: ipv6: router advertisement message length should be within limits Date: Thu, 18 May 2023 11:24:38 -0700 Message-Id: <1684434279-1065-2-git-send-email-emohandesi@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1684434279-1065-1-git-send-email-emohandesi@linux.microsoft.com> References: <1684434279-1065-1-git-send-email-emohandesi@linux.microsoft.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Ehsan Mohandesi The argument len passed to function process_ra is the length of the IPv6 router advertisement message and needs to be between 0 and MTU because it is assigned to remaining_option_len and used as a loop variable. Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") Signed-off-by: Ehsan Mohandesi --- net/ndisc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ndisc.c b/net/ndisc.c index 0b27779..d1cec06 100644 --- a/net/ndisc.c +++ b/net/ndisc.c @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len) unsigned char type = 0; struct icmp6_ra_prefix_info *prefix = NULL; + if (len > ETH_MAX_MTU) + return -EMSGSIZE; /* Ignore the packet if router lifetime is 0. */ if (!icmp->icmp6_rt_lifetime) return -EOPNOTSUPP; -- 1.8.3.1