From 06653c701040f34e05d587bf14c2600f8cb3460f Mon Sep 17 00:00:00 2001 From: Rasmus Villemoes Date: Fri, 14 Oct 2022 19:43:40 +0200 Subject: [PATCH] net: fix ip_len in reassembled IP datagram For some reason, the ip_len field in a reassembled IP datagram is set to just the size of the payload, but it should be set to the value it would have had if the datagram had never been fragmented in the first place, i.e. size of payload plus size of IP header. That latter value is currently returned correctly via the "len" variable. And before entering net_defragment(), len does have the value ntohs(ip->ip_len), so if we're not dealing with a fragment (so net_defragment leaves *len alone), that relationship of course also holds after the net_defragment() call. The only use I can find of ip->ip_len after the net_defragment call is the ntohs(ip->udp_len) > ntohs(ip->ip_len) sanity check - none of the functions that are passed the "ip" pointer themselves inspect ->ip_len but instead use the passed len. But that sanity check is a bit odd, since the RHS really should be "ntohs(ip->ip_len) - 20", i.e. the IP payload size. Now that we've fixed things so that len == ntohs(ip->ip_len) in all cases, change that sanity check to use len-20 as the RHS. Signed-off-by: Rasmus Villemoes --- net/net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/net.c b/net/net.c index 987c25931e..073fb681e5 100644 --- a/net/net.c +++ b/net/net.c @@ -1040,8 +1040,8 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) if (!done) return NULL; - localip->ip_len = htons(total_len); *lenp = total_len + IP_HDR_SIZE; + localip->ip_len = htons(*lenp); return localip; } @@ -1289,7 +1289,7 @@ void net_process_received_packet(uchar *in_packet, int len) return; } - if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len)) + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > len - IP_HDR_SIZE) return; debug_cond(DEBUG_DEV_PKT, -- 2.39.5