Skip to content

Commit d64dcbb

Browse files
Nils Bernsdorfmiri64
authored andcommitted
gnrc_ipv6_ext_frag: fail on first fragment buffer is too small
This case can happen if a second, but larger first fragment is send after a smaller.
1 parent 55564ab commit d64dcbb

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -524,6 +524,11 @@ gnrc_pktsnip_t *gnrc_ipv6_ext_frag_reass(gnrc_pktsnip_t *pkt)
524524
DEBUG("ipv6_ext_frag: fragment length not divisible by 8");
525525
goto error_exit;
526526
}
527+
else if (rbuf->pkt != NULL && rbuf->pkt->size < pkt->size) {
528+
DEBUG("ipv6_ext_frag: reassembly buffer too small to fit first "
529+
"fragment\n");
530+
goto error_exit;
531+
}
527532
_set_nh(fh_snip->next, nh);
528533
gnrc_pktbuf_remove_snip(pkt, fh_snip);
529534
/* TODO: RFC 8200 says "- 8"; determine if `sizeof(ipv6_ext_frag_t)` is

0 commit comments

Comments
 (0)