diff --git a/net/devif/ipv4_input.c b/net/devif/ipv4_input.c index 1b3caf5087f..bd006908335 100644 --- a/net/devif/ipv4_input.c +++ b/net/devif/ipv4_input.c @@ -116,10 +116,6 @@ #define TCP_REASS_BUFSIZE (NET_DEV_MTU(dev) - NET_LL_HDRLEN(dev)) #define TCP_REASS_LASTFRAG 0x01 -/**************************************************************************** - * Public Data - ****************************************************************************/ - /**************************************************************************** * Private Data ****************************************************************************/ @@ -323,6 +319,7 @@ nullreturn: int ipv4_input(FAR struct net_driver_s *dev) { FAR struct ipv4_hdr_s *pbuf = BUF; + uint16_t hdrlen; uint16_t iplen; /* This is where the input processing starts. */ @@ -346,6 +343,17 @@ int ipv4_input(FAR struct net_driver_s *dev) goto drop; } + /* Get the size of the packet minus the size of link layer header */ + + hdrlen = NET_LL_HDRLEN(dev); + if ((hdrlen + IPv4_HDRLEN) > dev->d_len) + { + nlldbg("Packet shorter than IPv4 header\n"); + goto drop; + } + + dev->d_len -= hdrlen; + /* Check the size of the packet. If the size reported to us in d_len is * smaller the size reported in the IP header, we assume that the packet * has been corrupted in transit. If the size of d_len is larger than the diff --git a/net/devif/ipv6_input.c b/net/devif/ipv6_input.c index f5be1751f08..dcb2610626e 100644 --- a/net/devif/ipv6_input.c +++ b/net/devif/ipv6_input.c @@ -108,18 +108,6 @@ #define IPv6BUF ((FAR struct ipv6_hdr_s *)&dev->d_buf[NET_LL_HDRLEN(dev)]) -/**************************************************************************** - * Public Data - ****************************************************************************/ - -/**************************************************************************** - * Private Data - ****************************************************************************/ - -/**************************************************************************** - * Private Functions - ****************************************************************************/ - /**************************************************************************** * Public Functions ****************************************************************************/ @@ -142,6 +130,7 @@ int ipv6_input(FAR struct net_driver_s *dev) { FAR struct ipv6_hdr_s *ipv6 = IPv6BUF; + uint16_t hdrlen; uint16_t pktlen; /* This is where the input processing starts. */ @@ -166,6 +155,17 @@ int ipv6_input(FAR struct net_driver_s *dev) goto drop; } + /* Get the size of the packet minus the size of link layer header */ + + hdrlen = NET_LL_HDRLEN(dev); + if ((hdrlen + IPv6_HDRLEN) > dev->d_len) + { + nlldbg("Packet shorter than IPv6 header\n"); + goto drop; + } + + dev->d_len -= hdrlen; + /* Check the size of the packet. If the size reported to us in d_len is * smaller the size reported in the IP header, we assume that the packet * has been corrupted in transit. If the size of d_len is larger than the