Merge pull request #5590 from qlyoung/fix-nhrp-underflow

nhrpd: offset value not checked for min size
author: Jafar Al-Gharaibeh <Jafaral@users.noreply.github.com> 2020-01-15 05:57:15 +0100
committer: GitHub <noreply@github.com> 2020-01-15 05:57:15 +0100
commit: dea7e8d6f710b9014197b31258db0ad45afc1d9b (patch)
tree: 2a4ed82cdfdc8492ce3916ac6a794291f5094cf7 /nhrpd
parent: Merge pull request #5657 from mjstapp/staticd_add_debugs (diff)
parent: nhrpd: offset value not checked for min size (diff)
download: frr-dea7e8d6f710b9014197b31258db0ad45afc1d9b.tar.xz
frr-dea7e8d6f710b9014197b31258db0ad45afc1d9b.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 3a74b7569..c5e985cda 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -896,8 +896,10 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
 
 	extoff = htons(hdr->extension_offset);
 	if (extoff) {
-		if (extoff >= realsize) {
-			info = "extoff larger than packet";
+		assert(zb->head > zb->buf);
+		uint32_t header_offset = zb->head - zb->buf;
+		if ((extoff >= realsize) || (extoff < (header_offset))) {
+			info = "extoff larger than packet, or smaller than header";
 			goto drop;
 		}
 		paylen = extoff - (zb->head - zb->buf);
author	Jafar Al-Gharaibeh <Jafaral@users.noreply.github.com>	2020-01-15 05:57:15 +0100
committer	GitHub <noreply@github.com>	2020-01-15 05:57:15 +0100
commit	dea7e8d6f710b9014197b31258db0ad45afc1d9b (patch)
tree	2a4ed82cdfdc8492ce3916ac6a794291f5094cf7 /nhrpd
parent	Merge pull request #5657 from mjstapp/staticd_add_debugs (diff)
parent	nhrpd: offset value not checked for min size (diff)
download	frr-dea7e8d6f710b9014197b31258db0ad45afc1d9b.tar.xz frr-dea7e8d6f710b9014197b31258db0ad45afc1d9b.zip