From 8b6d8d7fce6495650c403d3816e24ce801bd4ca0 Mon Sep 17 00:00:00 2001
From: whitequark <pz@m-labs.hk>
Date: Tue, 30 Jan 2018 03:24:39 +0000
Subject: [PATCH] Reject certain malformed IPv4 packets.

Reported independently, but testcase found via cargo-fuzz.
---
 src/wire/ipv4.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/wire/ipv4.rs b/src/wire/ipv4.rs
index 2734c36..69f79ea 100644
--- a/src/wire/ipv4.rs
+++ b/src/wire/ipv4.rs
@@ -184,6 +184,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
 
     /// Ensure that no accessor method will panic if called.
     /// Returns `Err(Error::Truncated)` if the buffer is too short.
+    /// Returns `Err(Error::Malformed)` if the header length is greater
+    /// than total length.
     ///
     /// The result of this check is invalidated by calling [set_header_len]
     /// and [set_total_len].
@@ -196,6 +198,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
             Err(Error::Truncated)
         } else if len < self.header_len() as usize {
             Err(Error::Truncated)
+        } else if self.header_len() as u16 > self.total_len() {
+            Err(Error::Malformed)
         } else if len < self.total_len() as usize {
             Err(Error::Truncated)
         } else {
@@ -739,6 +743,13 @@ mod test {
         assert_eq!(Repr::parse(&packet, &ChecksumCapabilities::default()), Err(Error::Malformed));
     }
 
+    #[test]
+    fn test_parse_total_len_less_than_header_len() {
+        let mut bytes = vec![0; 40];
+        bytes[0] = 0x09;
+        assert_eq!(Packet::new_checked(&mut bytes), Err(Error::Malformed));
+    }
+
     #[test]
     fn test_emit() {
         let repr = packet_repr();