net: ipv6: Skip unknown options in NA message

Ruslan Mstoi · jukkar · commit 39e37ab2ab85 · 2017-06-01T09:36:24.000+03:00
If we receive unknown option in neighbor advertisement message,
then skip those properly. Old code did not check the length of
the extension options which could cause infinite loop.

Jira: ZEP-2219

Signed-off-by: Ruslan Mstoi &lt;ruslan.mstoi@intel.com&gt;
diff --git a/subsys/net/ip/ipv6.c b/subsys/net/ip/ipv6.c
@@ -1662,7 +1662,7 @@ static enum net_verdict handle_na_input(struct net_pkt *pkt)
 					     net_pkt_ipv6_ext_opt_len(pkt) +
 					     (hdr->len << 3));
 
-		if (prev_opt_len == net_pkt_ipv6_ext_opt_len(pkt)) {
+		if (prev_opt_len >= net_pkt_ipv6_ext_opt_len(pkt)) {
 			NET_ERR("Corrupted NA message");
 			goto drop;
 		}

Original file line number	Diff line number	Diff line change
`@@ -1662,7 +1662,7 @@ static enum net_verdict handle_na_input(struct net_pkt *pkt)`
`1662`	`1662`	`net_pkt_ipv6_ext_opt_len(pkt) +`
`1663`	`1663`	`(hdr->len << 3));`
`1664`	`1664`
`1665`		`- if (prev_opt_len == net_pkt_ipv6_ext_opt_len(pkt)) {`
	`1665`	`+ if (prev_opt_len >= net_pkt_ipv6_ext_opt_len(pkt)) {`
`1666`	`1666`	`NET_ERR("Corrupted NA message");`
`1667`	`1667`	`goto drop;`
`1668`	`1668`	`}`