Commit 40413955 authored by yujuan.qi's avatar yujuan.qi Committed by David S. Miller
Browse files

Cipso: cipso_v4_optptr enter infinite loop 



in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.

Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue

Signed-off-by: default avataryujuan.qi <yujuan.qi@mediatek.com>
Acked-by: default avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fdaa419b

net/ipv4/cipso_ipv4.c

+10 −2
Original line number Diff line number Diff line
@@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) 
	int taglen;



	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {

		if (optptr[0] == IPOPT_CIPSO)

		switch (optptr[0]) {

		case IPOPT_CIPSO:

			return optptr;

		case IPOPT_END:

			return NULL;

		case IPOPT_NOOP:

			taglen = 1;

			break;

		default:

			taglen = optptr[1];

		}

		optlen -= taglen;

		optptr += taglen;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE