Commit Graph

1 Commits

Author SHA1 Message Date
Denis Ovsienko
d6913f7e3f CVE-2017-5204/IPv6: fix header printing
Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.

Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
2017-01-18 09:16:41 +01:00