Reject certain malformed IPv4 packets.

whitequark · whitequark · commit 181083f18c97 · 2018-01-30T03:24:50.000Z
Reported independently, but testcase found via cargo-fuzz.
diff --git a/src/wire/ipv4.rs b/src/wire/ipv4.rs
@@ -184,6 +184,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
 
     /// Ensure that no accessor method will panic if called.
     /// Returns `Err(Error::Truncated)` if the buffer is too short.
+    /// Returns `Err(Error::Malformed)` if the header length is greater
+    /// than total length.
     ///
     /// The result of this check is invalidated by calling [set_header_len]
     /// and [set_total_len].
@@ -196,6 +198,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
             Err(Error::Truncated)
         } else if len < self.header_len() as usize {
             Err(Error::Truncated)
+        } else if self.header_len() as u16 > self.total_len() {
+            Err(Error::Malformed)
         } else if len < self.total_len() as usize {
             Err(Error::Truncated)
         } else {
@@ -739,6 +743,13 @@ mod test {
         assert_eq!(Repr::parse(&packet, &ChecksumCapabilities::default()), Err(Error::Malformed));
     }
 
+    #[test]
+    fn test_parse_total_len_less_than_header_len() {
+        let mut bytes = vec![0; 40];
+        bytes[0] = 0x09;
+        assert_eq!(Packet::new_checked(&mut bytes), Err(Error::Malformed));
+    }
+
     #[test]
     fn test_emit() {
         let repr = packet_repr();
