From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 1 Sep 2017 06:57:56 +0000 (+0200)
Subject: ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets
X-Git-Tag: 5.6.1dr3~22^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b3cc46381d7ddcb163f93064e81207cbff348834;p=thirdparty%2Fstrongswan.git

ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets

Only attempt to parse the transport header of an IPv4 packet if it's
not fragmented or the first fragment.
---

diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 78b4c407a4..61382a2da8 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -55,6 +55,10 @@ struct ip6_hdr {
 #define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */
 #endif
 
+#ifndef IP_OFFMASK
+#define IP_OFFMASK 0x1fff
+#endif
+
 /**
  * TCP header, defined here because platforms disagree regarding member names
  * and unfortunately Android does not define a variant with BSD names.
@@ -253,7 +257,8 @@ ip_packet_t *ip_packet_create(chunk_t packet)
 			/* remove any RFC 4303 TFC extra padding */
 			packet.len = min(packet.len, untoh16(&ip->ip_len));
 			payload = chunk_skip(packet, ip->ip_hl * 4);
-			if (!parse_transport_header(payload, ip->ip_p, &sport, &dport))
+			if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&
+				!parse_transport_header(payload, ip->ip_p, &sport, &dport))
 			{
 				goto failed;
 			}