From a29df56eab4ad7957649834c1120c69ce03115ee Mon Sep 17 00:00:00 2001 From: Ehsan Mohandesi Date: Thu, 18 May 2023 11:24:38 -0700 Subject: [PATCH] net: ipv6: router advertisement message length should be within limits The argument len passed to function process_ra is the length of the IPv6 router advertisement message and needs to be between 0 and MTU because it is assigned to remaining_option_len and used as a loop variable. Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") Signed-off-by: Ehsan Mohandesi Reviewed-by: Viacheslav Mitrofanov Reviewed-by: Ramon Fried --- net/ndisc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ndisc.c b/net/ndisc.c index 0b27779ce5..d1cec0601c 100644 --- a/net/ndisc.c +++ b/net/ndisc.c @@ -382,6 +382,8 @@ int process_ra(struct ip6_hdr *ip6, int len) unsigned char type = 0; struct icmp6_ra_prefix_info *prefix = NULL; + if (len > ETH_MAX_MTU) + return -EMSGSIZE; /* Ignore the packet if router lifetime is 0. */ if (!icmp->icmp6_rt_lifetime) return -EOPNOTSUPP;