c583c04062
When calculating the length of the IPv6 header chain, lengths of the IPv6 extension headers are not checked against the overall packet lengths and thus it's possible to parse past the end of the packet when the packet is malformed. This adds the necessary bounds checking to ensure that parsing stops if the end of the packet is reached to avoid the following: Unable to handle kernel paging request at virtual address pc : rmnet_frag_ipv6_skip_exthdr+0xc0/0x108 [rmnet_core] lr : rmnet_frag_ipv6_skip_exthdr+0x68/0x108 [rmnet_core] Call trace: rmnet_frag_ipv6_skip_exthdr+0xc0/0x108 [rmnet_core] DATARMNET29e8d137c4+0x1a0/0x3e0 [rmnet_offload] rmnet_frag_ingress_handler+0x294/0x404 [rmnet_core] rmnet_rx_handler+0x1b4/0x284 [rmnet_core] __netif_receive_skb_core+0x740/0xd2c __netif_receive_skb+0x44/0x158 Change-Id: Ib2e2ebce733bd4d14a3dfc175133638b15015277 Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>