Skip to content

Commit

Permalink
Reject certain malformed IPv4 packets.
Browse files Browse the repository at this point in the history 
Reported independently, but testcase found via cargo-fuzz.
  • Loading branch information
@whitequark
whitequark committed Jan 30, 2018
1 parent 0818612 commit 181083f
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/wire/ipv4.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,8 @@ impl<T: AsRef<[u8]>> Packet<T> {

/// Ensure that no accessor method will panic if called.
/// Returns `Err(Error::Truncated)` if the buffer is too short.
/// Returns `Err(Error::Malformed)` if the header length is greater
/// than total length.
///
/// The result of this check is invalidated by calling [set_header_len]
/// and [set_total_len].
Expand All @@ -196,6 +198,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
Err(Error::Truncated)
} else if len < self.header_len() as usize {
Err(Error::Truncated)
} else if self.header_len() as u16 > self.total_len() {
Err(Error::Malformed)
} else if len < self.total_len() as usize {
Err(Error::Truncated)
} else {
Expand Down Expand Up @@ -739,6 +743,13 @@ mod test {
assert_eq!(Repr::parse(&packet, &ChecksumCapabilities::default()), Err(Error::Malformed));
}

#[test]
fn test_parse_total_len_less_than_header_len() {
let mut bytes = vec![0; 40];
bytes[0] = 0x09;
assert_eq!(Packet::new_checked(&mut bytes), Err(Error::Malformed));
}

#[test]
fn test_emit() {
let repr = packet_repr();
Expand Down

0 comments on commit 181083f

Please sign in to comment.