Hi Ramon,
On Wed, May 25, 2022 at 11:46 PM Ramon Fried <rfried....@gmail.com> wrote:
> Hi Nicolas,
> Thanks for the research.
> I have read your description thoroughly, very interesting.
> I will implement fixes to the findings.
Is it enough to add the check below?
--- a/net/net.c
+++ b/net/net.c
@@ -906,6 +906,9 @@ static struct ip_udp_hdr *__net_defragment(struct
ip_udp_hdr *ip, int *lenp)
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
+
+ if (ip->ip_len < 28)
+ return NULL;
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
