Don't loop forever on zero-length ICMPv6 ND options. am: 2f157c421a

am: 9bfda163e2 Change-Id: Ice002fa65828eb738323425597dec1549c0f9a42
author: Lorenzo Colitti <lorenzo@google.com> 2016-12-23 08:32:03 +0000
committer: android-build-merger <android-build-merger@google.com> 2016-12-23 08:32:03 +0000
commit: 6e22c50d7b06a6296182d9230f53b10cf5bd41b3 (patch)
tree: f0197623ea76d1d0ef12166223aac5812e70658d
parent: 69c116313704f0d2b4b19426b84557b7e265d97f (diff)
parent: 9bfda163e2b76a09d8e65899409aac9273e299e0 (diff)
2 files changed, 28 insertions, 1 deletions
diff --git a/services/net/java/android/net/util/ConnectivityPacketSummary.java b/services/net/java/android/net/util/ConnectivityPacketSummary.java
index 699ba5b6c4ad..5b068c0b2468 100644
--- a/services/net/java/android/net/util/ConnectivityPacketSummary.java
+++ b/services/net/java/android/net/util/ConnectivityPacketSummary.java
@@ -285,7 +285,10 @@ public class ConnectivityPacketSummary {
             final int ndType = asUint(mPacket.get());
             final int ndLength = asUint(mPacket.get());
             final int ndBytes = ndLength * ICMPV6_ND_OPTION_LENGTH_SCALING_FACTOR - 2;
-            if (mPacket.remaining() < ndBytes) break;
+            if (ndBytes < 0 || ndBytes > mPacket.remaining()) {
+                sj.add("<malformed>");
+                break;
+            }
             final int position = mPacket.position();
 
             switch (ndType) {
diff --git a/services/tests/servicestests/src/android/net/util/ConnectivityPacketSummaryTest.java b/services/tests/servicestests/src/android/net/util/ConnectivityPacketSummaryTest.java
index 766e5c048f1b..dd679bc20090 100644
--- a/services/tests/servicestests/src/android/net/util/ConnectivityPacketSummaryTest.java
+++ b/services/tests/servicestests/src/android/net/util/ConnectivityPacketSummaryTest.java
@@ -135,6 +135,30 @@ public class ConnectivityPacketSummaryTest extends TestCase {
         assertEquals(expected, getSummary(packet));
     }
 
+    public void testInvalidICMPv6NDLength() {
+        final String packet =
+                // Ethernet
+                "807ABF6F48F3 100E7E263FC1 86DD" +
+                // IPv6
+                "600000000068 3A FF" +
+                "FE80000000000000FA000004FD000001" +
+                "FE80000000000000827ABFFFFE6F48F3" +
+                // ICMPv6 RA
+                "86 00 8141" +
+                "40 00 0E10" +
+                "00000000" +
+                "00000000" +
+                "01 01 00005E000265" +
+                "00 00 0102030405D6";
+
+        final String expected =
+                "RX 10:0e:7e:26:3f:c1 > 80:7a:bf:6f:48:f3 ipv6" +
+                " fe80::fa00:4:fd00:1 > fe80::827a:bfff:fe6f:48f3 icmp6" +
+                " ra slla 00:00:5e:00:02:65 <malformed>";
+
+        assertEquals(expected, getSummary(packet));
+    }
+
     public void testParseICMPv6NA() {
         final String packet =
                 // Ethernet
author	Lorenzo Colitti <lorenzo@google.com>	2016-12-23 08:32:03 +0000
committer	android-build-merger <android-build-merger@google.com>	2016-12-23 08:32:03 +0000
commit	6e22c50d7b06a6296182d9230f53b10cf5bd41b3 (patch)
tree	f0197623ea76d1d0ef12166223aac5812e70658d
parent	69c116313704f0d2b4b19426b84557b7e265d97f (diff)
parent	9bfda163e2b76a09d8e65899409aac9273e299e0 (diff)