diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2019-12-12 06:09:39 +0100 |
|---|---|---|
| committer | Quentin Young <qlyoung@cumulusnetworks.com> | 2019-12-12 07:03:13 +0100 |
| commit | 01e3c3764deda6af62af1baa13b195af7672947e (patch) | |
| tree | fa6bf9c1d8b03f9ac555d7ba95c55cf637a71c9a | |
| parent | Merge pull request #5528 from opensourcerouting/bmp-dns-fixing (diff) | |
| download | frr-01e3c3764deda6af62af1baa13b195af7672947e.tar.xz frr-01e3c3764deda6af62af1baa13b195af7672947e.zip | |
ospfd: fix misplaced trust in ip header length
We actually don't validate the IHL field, although it certainly looks
like we do at a casual glance.
This patch saves us from an assert in case we actually do get an IP
packet with an incorrect header length field.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
| -rw-r--r-- | ospfd/ospf_packet.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 80ffc3f36..0d520f8b0 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -3001,11 +3001,23 @@ static enum ospf_read_return_enum ospf_read_helper(struct ospf *ospf) return OSPF_READ_CONTINUE; } - /* - * Advance from IP header to OSPF header (iph->ip_hl has - * been verified by ospf_recv_packet() to be correct). - */ - stream_forward_getp(ibuf, iph->ip_hl * 4); + /* Check that we have enough for an IP header */ + if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) { + if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) { + flog_warn( + EC_OSPF_PACKET, + "Rx'd IP packet with OSPF protocol number but no payload"); + } else { + flog_warn( + EC_OSPF_PACKET, + "IP header length field claims header is %u bytes, but we only have %zu", + (unsigned int)(iph->ip_hl << 2), + STREAM_READABLE(ibuf)); + } + + return OSPF_READ_ERROR; + } + stream_forward_getp(ibuf, iph->ip_hl << 2); ospfh = (struct ospf_header *)stream_pnt(ibuf); if (MSG_OK |