zebra: fix incoming FPM message length validation

Validate incoming message length against correct
(struct rtmsg) len, not top-level netlink message header size.

Signed-off-by: Mark Stapp <mjs@cisco.com>

diff --git a/zebra/dplane_fpm_nl.c b/zebra/dplane_fpm_nl.c
index 245b799a91d4d1a1dcce2de1168b667a3dcd811c..9ad92d6269dd873fcdca6b39b1e7f955d7c8fc41 100644 (file)
--- a/zebra/dplane_fpm_nl.c
+++ b/zebra/dplane_fpm_nl.c
@@ -654,14 +654,6 @@ static void fpm_read(struct event *t)
                hdr_available_bytes = fpm.msg_len - FPM_MSG_HDR_LEN;
                available_bytes -= hdr_available_bytes;
 
-               /* Sanity check: must be at least header size. */
-               if (hdr->nlmsg_len < sizeof(*hdr)) {
-                       zlog_warn(
-                               "%s: [seq=%u] invalid message length %u (< %zu)",
-                               __func__, hdr->nlmsg_seq, hdr->nlmsg_len,
-                               sizeof(*hdr));
-                       continue;
-               }
                if (hdr->nlmsg_len > fpm.msg_len) {
                        zlog_warn(
                                "%s: Received a inner header length of %u that is greater than the fpm total length of %u",
@@ -691,6 +683,14 @@ static void fpm_read(struct event *t)
 
                switch (hdr->nlmsg_type) {
                case RTM_NEWROUTE:
+                       /* Sanity check: need at least route msg header size. */
+                       if (hdr->nlmsg_len < sizeof(struct rtmsg)) {
+                               zlog_warn("%s: [seq=%u] invalid message length %u (< %zu)",
+                                         __func__, hdr->nlmsg_seq,
+                                         hdr->nlmsg_len, sizeof(struct rtmsg));
+                               break;
+                       }
+
                        ctx = dplane_ctx_alloc();
                        dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL,
                                              NULL);