From 4b545b04f6533b5e0377f2d2dec219ad816e47ed Mon Sep 17 00:00:00 2001 From: Paul Jensen Date: Wed, 20 Jul 2016 15:01:17 -0400 Subject: [PATCH] Sanity check ICMP6 router advertisement packets There is a chance a packet can slip by before we install the filter on our socket listening for RAs, so add some basic sanity checking to make sure we've recieved an RA. Change-Id: I14cf84a0814896a41e00f50af376dfc4988d36cb Fixes: 29586253 --- services/net/java/android/net/apf/ApfFilter.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/services/net/java/android/net/apf/ApfFilter.java b/services/net/java/android/net/apf/ApfFilter.java index 0f812acf67bdb..4bb0902f2ec04 100644 --- a/services/net/java/android/net/apf/ApfFilter.java +++ b/services/net/java/android/net/apf/ApfFilter.java @@ -192,6 +192,7 @@ public class ApfFilter { private static final int ICMP6_TYPE_OFFSET = ETH_HEADER_LEN + IPV6_HEADER_LEN; private static final int ICMP6_NEIGHBOR_ANNOUNCEMENT = 136; + private static final int ICMP6_ROUTER_ADVERTISEMENT = 134; // NOTE: this must be added to the IPv4 header length in IPV4_HEADER_SIZE_MEMORY_SLOT private static final int UDP_DESTINATION_PORT_OFFSET = ETH_HEADER_LEN + 2; @@ -452,6 +453,16 @@ public class ApfFilter { Ra(byte[] packet, int length) { mPacket = ByteBuffer.wrap(Arrays.copyOf(packet, length)); mLastSeen = curTime(); + + // Sanity check packet in case a packet arrives before we attach RA filter + // to our packet socket. b/29586253 + if (getUint16(mPacket, ETH_ETHERTYPE_OFFSET) != ETH_P_IPV6 || + uint8(mPacket.get(IPV6_NEXT_HEADER_OFFSET)) != IPPROTO_ICMPV6 || + uint8(mPacket.get(ICMP6_TYPE_OFFSET)) != ICMP6_ROUTER_ADVERTISEMENT) { + throw new IllegalArgumentException("Not an ICMP6 router advertisement"); + } + + RaEvent.Builder builder = new RaEvent.Builder(); // Ignore the checksum.