Don't loop forever on zero-length ICMPv6 ND options.

author Lorenzo Colitti <lorenzo@google.com>

Fri, 23 Dec 2016 04:54:50 +0000 (13:54 +0900)

committer Lorenzo Colitti <lorenzo@google.com>

Fri, 20 Jan 2017 06:48:21 +0000 (15:48 +0900)
author Lorenzo Colitti <lorenzo@google.com>
Fri, 23 Dec 2016 04:54:50 +0000 (13:54 +0900)
committer Lorenzo Colitti <lorenzo@google.com>
Fri, 20 Jan 2017 06:48:21 +0000 (15:48 +0900)
diff --git a/services/net/java/android/net/util/ConnectivityPacketSummary.java b/services/net/java/android/net/util/ConnectivityPacketSummary.java

index 699ba5b..5b068c0 100644 (file)
--- a/services/net/java/android/net/util/ConnectivityPacketSummary.java
+++ b/services/net/java/android/net/util/ConnectivityPacketSummary.java
@@ -285,7 +285,10 @@ public class ConnectivityPacketSummary {
              final int ndType = asUint(mPacket.get());
              final int ndLength = asUint(mPacket.get());
              final int ndBytes = ndLength * ICMPV6_ND_OPTION_LENGTH_SCALING_FACTOR - 2;
-            if (mPacket.remaining() < ndBytes) break;
+            if (ndBytes < 0 || ndBytes > mPacket.remaining()) {
+                sj.add("<malformed>");
+                break;
+            }
              final int position = mPacket.position();
  
              switch (ndType) {
diff --git a/tests/net/java/android/net/util/ConnectivityPacketSummaryTest.java b/tests/net/java/android/net/util/ConnectivityPacketSummaryTest.java

index 766e5c0..dd679bc 100644 (file)
--- a/tests/net/java/android/net/util/ConnectivityPacketSummaryTest.java
+++ b/tests/net/java/android/net/util/ConnectivityPacketSummaryTest.java
@@ -135,6 +135,30 @@ public class ConnectivityPacketSummaryTest extends TestCase {
          assertEquals(expected, getSummary(packet));
      }
  
+    public void testInvalidICMPv6NDLength() {
+        final String packet =
+                // Ethernet
+                "807ABF6F48F3 100E7E263FC1 86DD" +
+                // IPv6
+                "600000000068 3A FF" +
+                "FE80000000000000FA000004FD000001" +
+                "FE80000000000000827ABFFFFE6F48F3" +
+                // ICMPv6 RA
+                "86 00 8141" +
+                "40 00 0E10" +
+                "00000000" +
+                "00000000" +
+                "01 01 00005E000265" +
+                "00 00 0102030405D6";
+
+        final String expected =
+                "RX 10:0e:7e:26:3f:c1 > 80:7a:bf:6f:48:f3 ipv6" +
+                " fe80::fa00:4:fd00:1 > fe80::827a:bfff:fe6f:48f3 icmp6" +
+                " ra slla 00:00:5e:00:02:65 <malformed>";
+
+        assertEquals(expected, getSummary(packet));
+    }
+
      public void testParseICMPv6NA() {
          final String packet =
                  // Ethernet
author	Lorenzo Colitti <lorenzo@google.com>
	Fri, 23 Dec 2016 04:54:50 +0000 (13:54 +0900)
committer	Lorenzo Colitti <lorenzo@google.com>
	Fri, 20 Jan 2017 06:48:21 +0000 (15:48 +0900)
services/net/java/android/net/util/ConnectivityPacketSummary.java		patch \| blob \| history
tests/net/java/android/net/util/ConnectivityPacketSummaryTest.java		patch \| blob \| history