From: Ehsan Mohandesi <emohandesi@linux.microsoft.com>
Date: Thu, 18 May 2023 18:24:38 +0000 (-0700)
Subject: net: ipv6: router advertisement message length should be within limits
X-Git-Tag: v2023.10-rc2~19^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a29df56eab4ad7957649834c1120c69ce03115ee;p=thirdparty%2Fu-boot.git

net: ipv6: router advertisement message length should be within limits

The argument len passed to function process_ra is the length of the IPv6
router advertisement message and needs to be between 0 and MTU because
it is assigned to remaining_option_len and used as a loop variable.

Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR")
Signed-off-by: Ehsan Mohandesi <emohandesi@linux.microsoft.com>
Reviewed-by: Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
---

diff --git a/net/ndisc.c b/net/ndisc.c
index 0b27779ce5a..d1cec0601c8 100644
--- a/net/ndisc.c
+++ b/net/ndisc.c
@@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len)
 	unsigned char type = 0;
 	struct icmp6_ra_prefix_info *prefix = NULL;
 
+	if (len > ETH_MAX_MTU)
+		return -EMSGSIZE;
 	/* Ignore the packet if router lifetime is 0. */
 	if (!icmp->icmp6_rt_lifetime)
 		return -EOPNOTSUPP;