Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

Hannes Frederic Sowa Tue, 22 Dec 2015 05:50:44 -0800

On 22.12.2015 12:46, Huw Davies wrote:
>  
> +/* CALIPSO RFC 5570 */
> +
> +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> +{
> +     const unsigned char *nh = skb_network_header(skb);
> +
> +     if (nh[optoff + 1] < 8)
> +             goto drop;
> +
> +     if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1])
> +             goto drop;
> +
> +     if (!calipso_validate(skb, nh + optoff))
> +             goto drop;
> +
> +     return true;
> +
> +drop:
> +     kfree_skb(skb);
> +     return false;
> +}
> +


Formally, if an extension header could not be processed, the packet
should be discarded and an icmp error parameter extension should be
send. I think we shouldn't let those packets pass here.

Thanks,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

Reply via email to