Skip to content

net/icmpv6: Discard Neighbor Discovery packet if optlen is 0#18843

Merged
acassis merged 1 commit into
apache:masterfrom
acassis:fix_net
May 4, 2026
Merged

net/icmpv6: Discard Neighbor Discovery packet if optlen is 0#18843
acassis merged 1 commit into
apache:masterfrom
acassis:fix_net

Conversation

@acassis
Copy link
Copy Markdown
Contributor

@acassis acassis commented May 3, 2026

Summary

This commit make ICMPv6 on NuttX compliant with RFC4861 ignoring a DN packet when its optlen is 0.

Impact

Make NuttX compliant with RFC 4861.

Testing

Using sim:nettest

$ sudo ./nuttx
...
nsh> ifup eth0
ifup eth0...OK
nsh> ifconfig
eth0	Link encap:Ethernet HWaddr 42:29:9f:00:77:89 at RUNNING mtu 1500
	inet addr:10.0.1.2 DRaddr:10.0.1.1 Mask:255.255.255.0
	inet6 addr: fc00::2/112
	inet6 DRaddr: fc00::1

	RX: Received Fragment Errors   Bytes   
	    0000001e 00000000 00000000 109d            
	    IPv4     IPv6     ARP      Dropped 
	    00000000 0000001e 00000000 00000000
	TX: Queued   Sent     Errors   Timeouts Bytes   
	    00000000 00000000 00000000 00000000 0                
	Total Errors: 00000000

lo	Link encap:Local Loopback at RUNNING mtu 1518
	inet addr:127.0.0.1 DRaddr:127.0.0.1 Mask:255.0.0.0
	inet6 addr: ::1/128
	inet6 DRaddr: ::1

	RX: Received Fragment Errors   Bytes   
	    00000000 00000000 00000000 0               
	    IPv4     IPv6     ARP      Dropped 
	    00000000 00000000 00000000 00000000
	TX: Queued   Sent     Errors   Timeouts Bytes   
	    00000000 00000000 00000000 00000000 0                
	Total Errors: 00000000

             IPv4  IPv6   TCP   UDP  ICMP ICMPv6
Received     0000  001e  0000  000f  0000  000f
Dropped      0000  0000  0000  0000  0000  000f
  IPv4        VHL: 0000   Frg: 0000
  IPv6        VHL: 0000
  Checksum   0000  ----  0000  0000  ----  ----
  TCP         ACK: 0000   SYN: 0000
              RST: 0000  0000
  Type       0000  0000  ----  ----  0000  000e
Sent         0000  0000  0000  0000  0000  0000
  Rexmit     ----  ----  0000  ----  ----  ----
nsh>

In another Linux terminal:

$ sudo ip -6 addr add fc00::1/112 dev tap0
$ sudo ip link set tap0 up
$ ping6 -I tap0 -c3 fc00::2
``

@acassis acassis requested a review from xiaoxiang781216 as a code owner May 3, 2026 12:45
@github-actions github-actions Bot added Area: Networking Effects networking subsystem Size: S The size of the change in this PR is small labels May 3, 2026
@github-actions github-actions Bot added Size: XS The size of the change in this PR is very small and removed Size: S The size of the change in this PR is small labels May 3, 2026
linguini1
linguini1 previously approved these changes May 3, 2026
View reviewed changes
xiaoxiang781216
xiaoxiang781216 previously approved these changes May 3, 2026
View reviewed changes
@acassis
net/icmpv6: Discard Neighbor Discovery packet if optlen is 0
0a4eed0 
This commit make ICMPv6 on NuttX compliant with RFC4861 ignoring
a Neighbor Discovery packet when its optlen is 0.

Signed-off-by: Alan C. Assis <acassis@gmail.com>
@acassis acassis dismissed stale reviews from xiaoxiang781216 and linguini1 via 0a4eed0 May 3, 2026 13:34
@ankohuu
Copy link
Copy Markdown
Contributor

ankohuu commented May 4, 2026

  • Do we need check in other ND messages?
  • Do we need to verify that the generic option header is fully present before checking opt->optlen == 0? I mean the remaining bytes should be at least the generic option header size to keep the optlen is meaningful.
  • If there are multiple options and the last one optlen == 0, we need to drop the whole packet, right? Now other options may take effect first. e.g. RA packets ICMPv6_OPT_SRCLLADDR + 0 len option

@acassis acassis merged commit 4d72eb8 into apache:master May 4, 2026
37 of 41 checks passed
@acassis
Copy link
Copy Markdown
Contributor Author

acassis commented May 4, 2026

  • Do we need check in other ND messages?

@ankohuu yes, others ND msg also should be checked according with RFC 4861, so ICMPv6_NEIGHBOR_SOLICIT and ICMPv6_NEIGHBOR_ADVERTISE also should be checked (I will send a new PR to fix). But differently from ICMPV6_ROUTER_ADVERTISE they check only a single option (so no loop). That loop was causing an issue that could stall the devices.

* Do we need to verify that the generic option header is fully present before checking `opt->optlen == 0`?  I mean the remaining bytes should be at least the generic option header size to keep the optlen is meaningful.

You are right, if ndx + sizeof(struct icmpv6_generic_s) > optlen then we will have an OOB, I will fix it as well. Thank you very much!

* If there are multiple options and the last one `optlen == 0`, we need to drop the whole packet, right? Now other options may take effect first.    e.g.  RA packets  `ICMPv6_OPT_SRCLLADDR` + 0 len option

Yes, unfortunately the RFC is ambiguous, it only said that I need to discard a packet with optlen 0. Fortunately my solution already fixes it because I do a "goto icmpv6_drop_packet" that will exit the entire loop.

@ankohuu
Copy link
Copy Markdown
Contributor

ankohuu commented May 4, 2026

Yes, unfortunately the RFC is ambiguous, it only said that I need to discard a packet with optlen 0. Fortunately my solution already fixes it because I do a "goto icmpv6_drop_packet" that will exit the entire loop.

Before drop, neighbor_add(dev, ipv6->srcipaddr, sllopt->srclladdr); the neighbor is added, but we don't need this effect.

@acassis
Copy link
Copy Markdown
Contributor Author

acassis commented May 4, 2026

Yes, unfortunately the RFC is ambiguous, it only said that I need to discard a packet with optlen 0. Fortunately my solution already fixes it because I do a "goto icmpv6_drop_packet" that will exit the entire loop.

Before drop, neighbor_add(dev, ipv6->srcipaddr, sllopt->srclladdr); the neighbor is added, but we don't need this effect.

Hmm, you are right, I think I should change the generic option header first, I will add this check:

    if (scan + sizeof(struct icmpv6_generic_s) > optlen)
      {
        goto icmpv6_drop_packet;
      }

Do you see any other issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jerpelea jerpelea jerpelea approved these changes

@linguini1 linguini1 linguini1 approved these changes

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 left review comments

Assignees

No one assigned

Labels

Area: Networking Effects networking subsystem Size: XS The size of the change in this PR is very small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@acassis @ankohuu @jerpelea @xiaoxiang781216 @linguini1