From a7051a1825576a24c85556b623d63851c4b5ebf2 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Thu, 26 Dec 2019 06:58:02 -0500
Subject: nhrpd: offset value not checked for min size

If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 nhrpd/nhrp_peer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'nhrpd')

diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 3a74b7569..c5e985cda 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -896,8 +896,10 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
 
 	extoff = htons(hdr->extension_offset);
 	if (extoff) {
-		if (extoff >= realsize) {
-			info = "extoff larger than packet";
+		assert(zb->head > zb->buf);
+		uint32_t header_offset = zb->head - zb->buf;
+		if ((extoff >= realsize) || (extoff < (header_offset))) {
+			info = "extoff larger than packet, or smaller than header";
 			goto drop;
 		}
 		paylen = extoff - (zb->head - zb->buf);
-- 
cgit v1.2.3