Google Git
Sign in
go / net / ec5a957fe4e4ecea3262ce750e040e8b2ca5e06c^! / .
commitec5a957fe4e4ecea3262ce750e040e8b2ca5e06c[log] [tgz]
authorMikio Hara <mikioh.mikioh@gmail.com>Thu Jun 08 12:04:35 2017 +0900
committerMikio Hara <mikioh.mikioh@gmail.com>Fri Jun 09 22:10:13 2017 +0000
treee1be849448904879a434839c60a30a5b7a7383fa
parent59a0b19b5533c7977ddeb86b017bf507ed407b12 [diff]
ipv4: don't crash with corrupted control messages

Change-Id: I474b5832672e699f1eba1487f7f793bed3c1ff83
Reviewed-on: https://go-review.googlesource.com/45113
Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

diff --git a/ipv4/control.go b/ipv4/control.go
index fc99327..a2b02ca 100644
--- a/ipv4/control.go
+++ b/ipv4/control.go

@@ -83,14 +83,14 @@
 		if lvl != iana.ProtocolIP {
 			continue
 		}
-		switch typ {
-		case ctlOpts[ctlTTL].name:
+		switch {
+		case typ == ctlOpts[ctlTTL].name && l >= ctlOpts[ctlTTL].length:
 			ctlOpts[ctlTTL].parse(cm, m.Data(l))
-		case ctlOpts[ctlDst].name:
+		case typ == ctlOpts[ctlDst].name && l >= ctlOpts[ctlDst].length:
 			ctlOpts[ctlDst].parse(cm, m.Data(l))
-		case ctlOpts[ctlInterface].name:
+		case typ == ctlOpts[ctlInterface].name && l >= ctlOpts[ctlInterface].length:
 			ctlOpts[ctlInterface].parse(cm, m.Data(l))
-		case ctlOpts[ctlPacketInfo].name:
+		case typ == ctlOpts[ctlPacketInfo].name && l >= ctlOpts[ctlPacketInfo].length:
 			ctlOpts[ctlPacketInfo].parse(cm, m.Data(l))
 		}
 	}

diff --git a/ipv4/control_test.go b/ipv4/control_test.go
new file mode 100644
index 0000000..f87fe12
--- /dev/null
+++ b/ipv4/control_test.go

@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipv4_test
+
+import (
+	"testing"
+
+	"golang.org/x/net/ipv4"
+)
+
+func TestControlMessageParseWithFuzz(t *testing.T) {
+	var cm ipv4.ControlMessage
+	for _, fuzz := range []string{
+		"\f\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00",
+		"\f\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00",
+	} {
+		cm.Parse([]byte(fuzz))
+	}
+}