From 2d06483d8e28b98939f5d06f996c09e26a008d32 Mon Sep 17 00:00:00 2001 From: goldsimon Date: Tue, 9 Jan 2018 10:24:26 +0100 Subject: [PATCH] ip4_frag: don't use LWIP_ERROR where we might depend in input data fuzz test revealed that an ip header with options might land in ip4_frag() via ICMP. In this case, we can't use LWIP_ERROR() to check for not having ip options as that might be defined to assert --- src/core/ipv4/ip4_frag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/core/ipv4/ip4_frag.c b/src/core/ipv4/ip4_frag.c index b1ca15f3..df78cddc 100644 --- a/src/core/ipv4/ip4_frag.c +++ b/src/core/ipv4/ip4_frag.c @@ -748,7 +748,10 @@ ip4_frag(struct pbuf *p, struct netif *netif, const ip4_addr_t *dest) original_iphdr = (struct ip_hdr *)p->payload; iphdr = original_iphdr; - LWIP_ERROR("ip4_frag() does not support IP options", IPH_HL_BYTES(iphdr) == IP_HLEN, return ERR_VAL); + if (IPH_HL_BYTES(iphdr) != IP_HLEN) { + /* ip4_frag() does not support IP options */ + return ERR_VAL; + } LWIP_ERROR("ip4_frag(): pbuf too short", p->len >= IP_HLEN, return ERR_VAL); /* Save original offset */