From d7000477d4eaceff77aca8ba0ea65fe2356c3410 Mon Sep 17 00:00:00 2001 From: krzysztof-cabaj Date: Wed, 13 Sep 2023 14:31:35 -0400 Subject: [PATCH] gnrc/icmpv6: add check for too big icmpv6 packets --- sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c b/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c index a6b9003d66..6c6fe939d4 100644 --- a/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c +++ b/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c @@ -150,6 +150,12 @@ int gnrc_icmpv6_echo_send(const gnrc_netif_t *netif, const ipv6_addr_t *addr, ipv6_hdr_t *ipv6; uint8_t *databuf; + /* max IPv6 payload 65535 minus 8 bytes of icmp header = 65527 */ + if (len > (UINT16_MAX - sizeof(icmpv6_hdr_t))) { + DEBUG("error: wrong icmpv6 packet length\n"); + return -EINVAL; + } + pkt = gnrc_icmpv6_echo_build(ICMPV6_ECHO_REQ, id, seq, NULL, len); if (pkt == NULL) { DEBUG("error: packet buffer full\n");