From 3163c64d2893b5411d299952ff16dfc05e2c7a86 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 30 Aug 2023 08:54:33 -0400 Subject: pimd: When receiving a packet be more careful with length in pim_pim_packet a) If the length passed is the header length then it is possible that assignment of data will happen without data actually existing. b) Just move the assignment to after we ensure that the pim packet received is the minimum possible length that can be received. Signed-off-by: Donald Sharp --- pimd/pim_pim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pimd') diff --git a/pimd/pim_pim.c b/pimd/pim_pim.c index 4a272a480..a4c9178bb 100644 --- a/pimd/pim_pim.c +++ b/pimd/pim_pim.c @@ -155,7 +155,7 @@ int pim_pim_packet(struct interface *ifp, uint8_t *buf, size_t len, bool no_fwd; #if PIM_IPV == 4 - if (len < sizeof(*ip_hdr)) { + if (len <= sizeof(*ip_hdr)) { if (PIM_DEBUG_PIM_PACKETS) zlog_debug( "PIM packet size=%zu shorter than minimum=%zu", @@ -189,7 +189,6 @@ int pim_pim_packet(struct interface *ifp, uint8_t *buf, size_t len, iovp->iov_len = pim_msg_len; iovp++; - header = (struct pim_msg_header *)pim_msg; if (pim_msg_len < PIM_PIM_MIN_LEN) { if (PIM_DEBUG_PIM_PACKETS) zlog_debug( @@ -197,6 +196,7 @@ int pim_pim_packet(struct interface *ifp, uint8_t *buf, size_t len, pim_msg_len, PIM_PIM_MIN_LEN); return -1; } + header = (struct pim_msg_header *)pim_msg; if (header->ver != PIM_PROTO_VERSION) { if (PIM_DEBUG_PIM_PACKETS) -- cgit v1.2.3