Fix size_t underflow in ICMPv6 echo reply handler

archigup · archigup · commit 70065d84bfe2 · 2026-04-28T17:13:46.000-07:00
prvProcessICMPMessage_IPv6() subtracted sizeof(ICMPEcho_IPv6_t) from
the IPv6 Payload Length without checking that the payload is at least
that large. When Payload Length is 0, the size_t subtraction wraps to
SIZE_MAX, causing the verification loop to read far past the buffer.

Add a minimum length check before the subtraction.
diff --git a/source/FreeRTOS_ND.c b/source/FreeRTOS_ND.c
@@ -1081,6 +1081,11 @@
                                        break;
                                    }
 
+                                   if( uxDataLength < sizeof( *pxICMPEchoHeader ) )
+                                   {
+                                       break;
+                                   }
+
                                    uxDataLength = uxDataLength - sizeof( *pxICMPEchoHeader );
 
                                    /* Find the first byte of the data within the ICMP packet. */
