Fix a crash parsing a malformed IPv4 packet.

Found via cargo-fuzz.
smoltcp-rs · Jun 24, 2017 · b33d867 · b33d867
1 parent 6447d94
commit b33d867
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/src/wire/ipv4.rs b/src/wire/ipv4.rs
@@ -402,6 +402,8 @@ impl Repr {
         if packet.header_len() > 20 { return Err(Error::Unrecognized) }
         // We do not support fragmentation.
         if packet.more_frags() || packet.frag_offset() != 0 { return Err(Error::Fragmented) }
+        // Total length may not be less than header length.
+        if packet.total_len() < packet.header_len() as u16 { return Err(Error::Malformed) }
         // Since the packet is not fragmented, it must include the entire payload.
         let payload_len = packet.total_len() as usize - packet.header_len() as usize;
         if packet.payload().len() < payload_len  { return Err(Error::Truncated) }
@@ -630,6 +632,17 @@ mod test {
         assert_eq!(repr, packet_repr());
     }
 
+    #[test]
+    fn test_parse_total_len_underflow() {
+        let mut bytes = vec![0; 24];
+        bytes.copy_from_slice(&REPR_PACKET_BYTES[..]);
+        let mut packet = Packet::new(&mut bytes);
+        packet.set_total_len(10);
+        packet.fill_checksum();
+        let packet = Packet::new(&*packet.into_inner());
+        assert_eq!(Repr::parse(&packet), Err(Error::Malformed));
+    }
+
     #[test]
     fn test_emit() {
         let repr = packet_repr();