net: ipv6_fragment: fix NULL pointer dereference issues

If we have less fragments than what can be stored in the reassembly array, some loops will blindly dereference NULL pointers. Add checks for NULL pointers when necessary and exit the loop. Signed-off-by: Florian Vaussard <[email protected]>
mjaun · Sep 23, 2021 · e6a1643 · e6a1643
1 parent 5252468
commit e6a1643
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/subsys/net/ip/ipv6_fragment.c b/subsys/net/ip/ipv6_fragment.c
@@ -249,6 +249,9 @@ static void reassemble_packet(struct net_ipv6_reassembly *reass)
 		int removed_len;
 
 		pkt = reass->pkt[i];
+		if (!pkt) {
+			break;
+		}
 
 		net_pkt_cursor_init(pkt);
 
@@ -378,6 +381,9 @@ static bool fragment_verify(struct net_ipv6_reassembly *reass)
 	}
 
 	for (i = 1; i < CONFIG_NET_IPV6_FRAGMENT_MAX_PKT; i++) {
+		if (!reass->pkt[i]) {
+			break;
+		}
 		offset = net_pkt_ipv6_fragment_offset(reass->pkt[i]);
 
 		NET_DBG("pkt %p offset %u prev_len %d", reass->pkt[i],