Reject certain malformed IPv4 packets.
Reported independently, but testcase found via cargo-fuzz.
This commit is contained in:
parent
d4fa764b23
commit
8b6d8d7fce
|
@ -184,6 +184,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
|
|||
|
||||
/// Ensure that no accessor method will panic if called.
|
||||
/// Returns `Err(Error::Truncated)` if the buffer is too short.
|
||||
/// Returns `Err(Error::Malformed)` if the header length is greater
|
||||
/// than total length.
|
||||
///
|
||||
/// The result of this check is invalidated by calling [set_header_len]
|
||||
/// and [set_total_len].
|
||||
|
@ -196,6 +198,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
|
|||
Err(Error::Truncated)
|
||||
} else if len < self.header_len() as usize {
|
||||
Err(Error::Truncated)
|
||||
} else if self.header_len() as u16 > self.total_len() {
|
||||
Err(Error::Malformed)
|
||||
} else if len < self.total_len() as usize {
|
||||
Err(Error::Truncated)
|
||||
} else {
|
||||
|
@ -739,6 +743,13 @@ mod test {
|
|||
assert_eq!(Repr::parse(&packet, &ChecksumCapabilities::default()), Err(Error::Malformed));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_parse_total_len_less_than_header_len() {
|
||||
let mut bytes = vec![0; 40];
|
||||
bytes[0] = 0x09;
|
||||
assert_eq!(Packet::new_checked(&mut bytes), Err(Error::Malformed));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_emit() {
|
||||
let repr = packet_repr();
|
||||
|
|
Loading…
Reference in New Issue