From c06289459f8fe84f8b09fa373d3b2ae056bab190 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 4 Apr 2016 11:51:47 +0200 Subject: [PATCH] rdisc: reject invalid prefix lengths from router advertisements Later in NMDevice's rdisc_config_changed(), we already reject routes with plen==0. Just do it earlier. We would however not reject bogus routes with a prefix larger then 128. That would later lead to an error when trying to add such a route to the kernel. --- src/rdisc/nm-lndp-rdisc.c | 5 +++++ src/rdisc/nm-rdisc.c | 3 +++ 2 files changed, 8 insertions(+) diff --git a/src/rdisc/nm-lndp-rdisc.c b/src/rdisc/nm-lndp-rdisc.c index 28d5cdd3cf..0c5971f42b 100644 --- a/src/rdisc/nm-lndp-rdisc.c +++ b/src/rdisc/nm-lndp-rdisc.c @@ -158,6 +158,8 @@ receive_ra (struct ndp *ndp, struct ndp_msg *msg, gpointer user_data) /* Device route */ r_plen = ndp_msg_opt_prefix_len (msg, offset); + if (r_plen == 0 || r_plen > 128) + continue; nm_utils_ip6_address_clear_host_address (&r_network, ndp_msg_opt_prefix (msg, offset), r_plen); if (ndp_msg_opt_prefix_flag_on_link (msg, offset)) { @@ -197,6 +199,9 @@ receive_ra (struct ndp *ndp, struct ndp_msg *msg, gpointer user_data) .preference = translate_preference (ndp_msg_opt_route_preference (msg, offset)), }; + if (route.plen == 0 || route.plen > 128) + continue; + /* Routers through this particular gateway */ nm_utils_ip6_address_clear_host_address (&route.network, ndp_msg_opt_route_prefix (msg, offset), route.plen); if (nm_rdisc_add_route (rdisc, &route)) diff --git a/src/rdisc/nm-rdisc.c b/src/rdisc/nm-rdisc.c index 689fe7f6f5..12e3962b0d 100644 --- a/src/rdisc/nm-rdisc.c +++ b/src/rdisc/nm-rdisc.c @@ -212,6 +212,9 @@ nm_rdisc_add_route (NMRDisc *rdisc, const NMRDiscRoute *new) { int i, insert_idx = -1; + if (new->plen == 0 || new->plen > 128) + return FALSE; + for (i = 0; i < rdisc->routes->len; i++) { NMRDiscRoute *item = &g_array_index (rdisc->routes, NMRDiscRoute, i);