summaryrefslogtreecommitdiffstats
path: root/pimd/mtracebis.c
diff options
context:
space:
mode:
authorpaco <paco@voltanet.io>2018-06-26 17:09:07 +0200
committerpaco <paco@voltanet.io>2018-06-26 17:14:36 +0200
commit813099f0fcd3781edfa00b6e6f2cc96732b494ae (patch)
tree1a481b467751e9110e26f34e6add19475fe90168 /pimd/mtracebis.c
parentMerge pull request #2549 from pacovn/Coverity_1452317_Explicit_null_dereferenced (diff)
downloadfrr-813099f0fcd3781edfa00b6e6f2cc96732b494ae.tar.xz
frr-813099f0fcd3781edfa00b6e6f2cc96732b494ae.zip
pimd: untrusted argument (3) (Coverity 1465491)
Additional fix over d94023d85c1682ae14def9d50f2474e8e6290e44 (PR #2546) Removed all pointer arithmetic used for the checks, while keeping same coverage. I hope this removes the Coverity warning (If this don't fix it, I'll make Coverity work with a fork and try there as many times as necessary) Signed-off-by: F. Aragon <paco@voltanet.io>
Diffstat (limited to 'pimd/mtracebis.c')
-rw-r--r--pimd/mtracebis.c20
1 files changed, 11 insertions, 9 deletions
diff --git a/pimd/mtracebis.c b/pimd/mtracebis.c
index a0e8fd127..c0d95aeed 100644
--- a/pimd/mtracebis.c
+++ b/pimd/mtracebis.c
@@ -266,6 +266,8 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
int mtrace_len;
int responses;
unsigned short sum;
+ size_t mtrace_off;
+ size_t ip_len;
recvd = recvfrom(fd, mtrace_buf, IP_AND_MTRACE_BUF_LEN, 0, NULL, 0);
@@ -292,19 +294,19 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
if (sum != in_cksum(ip, ip->ip_hl * 4))
return -1;
- mtrace = (struct igmp_mtrace *)(mtrace_buf + (4 * ip->ip_hl));
-
- mtrace_len = ntohs(ip->ip_len) - ip->ip_hl * 4;
-
- if ((char *)mtrace + mtrace_len
- > (char *)mtrace_buf + IP_AND_MTRACE_BUF_LEN)
+ /* Header overflow check */
+ mtrace_off = 4 * ip->ip_hl;
+ if (mtrace_off > MTRACE_BUF_LEN)
return -1;
- if (mtrace_len < (int)MTRACE_HDR_SIZE)
+ /* Underflow/overflow check */
+ ip_len = ntohs(ip->ip_len);
+ if (ip_len < mtrace_off || ip_len < MTRACE_HDR_SIZE
+ || ip_len > MTRACE_BUF_LEN)
return -1;
- if (mtrace_len > (int)MTRACE_BUF_LEN)
- return -1;
+ mtrace_len = ip_len - mtrace_off;
+ mtrace = (struct igmp_mtrace *)(mtrace_buf + mtrace_off);
sum = mtrace->checksum;
mtrace->checksum = 0;