FIX: CVE-2022-30790, CVE-2022-30552

BugzId: 80018 BugzId: 80019
2022-06-09 09:32:06 +02:00 · 2022-06-09 09:32:06 +02:00 · 0d562ef932
parent ea62802ceb
commit 0d562ef932
2 changed files with 5 additions and 0 deletions
--- a/include/net.h
+++ b/include/net.h
@ -379,6 +379,8 @@ struct ip_hdr {

 #define IP_HDR_SIZE		(sizeof(struct ip_hdr))

+#define IP_MIN_FRAG_DATAGRAM_SIZE	(IP_HDR_SIZE + 8)
+
 /*
 *	Internet Protocol (IP) + UDP header.
 */
--- a/net/net.c
+++ b/net/net.c
@ -862,6 +862,9 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	int offset8, start, len, done = 0;
 	u16 ip_off = ntohs(ip->ip_off);

+	if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
+		return NULL;
+
 	/* payload starts after IP header, this fragment is in there */
 	payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
 	offset8 =  (ip_off & IP_OFFS);