pimd: Various buffer overflow reads and crashes

A variety of buffer overflow reads and crashes
that could occur if you fed bad info into pim.

1) When type is setup incorrectly we were printing the first 8 bytes
of the pim_parse_addr_source, but the min encoding length is
4 bytes.  As such we will read beyond end of buffer.

2) The RP(pim, grp) macro can return a NULL value
Do not automatically assume that we can deref
the data.

3) BSM parsing was not properly sanitizing data input from wire
and we could enter into situations where we would read beyond
the end of the buffer.  Prevent this from happening, we are
probably left in a bad way.

4) The received bit length cannot be greater than 32 bits,
refuse to allow it to happen.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/pimd/pim_tlv.c b/pimd/pim_tlv.c
index 4fe323739..93e1cc1f8 100644
--- a/pimd/pim_tlv.c
+++ b/pimd/pim_tlv.c
@@ -603,9 +603,9 @@ int pim_parse_addr_source(struct prefix_sg *sg, uint8_t *flags,
 
 	if (type) {
 		zlog_warn(
-			"%s: unknown source address encoding type=%d: %02x%02x%02x%02x%02x%02x%02x%02x",
+			"%s: unknown source address encoding type=%d: %02x%02x%02x%02x",
 			__PRETTY_FUNCTION__, type, buf[0], buf[1], buf[2],
-			buf[3], buf[4], buf[5], buf[6], buf[7]);
+			buf[3]);
 		return -2;
 	}
 
@@ -644,9 +644,9 @@ int pim_parse_addr_source(struct prefix_sg *sg, uint8_t *flags,
 		break;
 	default: {
 		zlog_warn(
-			"%s: unknown source address encoding family=%d: %02x%02x%02x%02x%02x%02x%02x%02x",
+			"%s: unknown source address encoding family=%d: %02x%02x%02x%02x",
 			__PRETTY_FUNCTION__, family, buf[0], buf[1], buf[2],
-			buf[3], buf[4], buf[5], buf[6], buf[7]);
+			buf[3]);
 		return -5;
 	}
 	}