pimd: untrusted argument (3) (Coverity 1465491)

Additional fix over d94023d85c1682ae14def9d50f2474e8e6290e44 (PR #2546)

Removed all pointer arithmetic used for the checks, while keeping same
coverage. I hope this removes the Coverity warning (If this don't fix it, I'll
make Coverity work with a fork and try there as many times as necessary)

Signed-off-by: F. Aragon <paco@voltanet.io>

diff --git a/pimd/mtracebis.c b/pimd/mtracebis.c
index a0e8fd127030152a0fbff9bd9053bda8d09c0ad9..c0d95aeed9e3799542ee7097f3d982b899a8e98e 100644 (file)
--- a/pimd/mtracebis.c
+++ b/pimd/mtracebis.c
@@ -266,6 +266,8 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
        int mtrace_len;
        int responses;
        unsigned short sum;
+       size_t mtrace_off;
+       size_t ip_len;
 
        recvd = recvfrom(fd, mtrace_buf, IP_AND_MTRACE_BUF_LEN, 0, NULL, 0);
 
@@ -292,19 +294,19 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer)
        if (sum != in_cksum(ip, ip->ip_hl * 4))
                return -1;
 
-       mtrace = (struct igmp_mtrace *)(mtrace_buf + (4 * ip->ip_hl));
-
-       mtrace_len = ntohs(ip->ip_len) - ip->ip_hl * 4;
-
-       if ((char *)mtrace + mtrace_len
-           > (char *)mtrace_buf + IP_AND_MTRACE_BUF_LEN)
+       /* Header overflow check */
+       mtrace_off = 4 * ip->ip_hl;
+       if (mtrace_off > MTRACE_BUF_LEN)
                return -1;
 
-       if (mtrace_len < (int)MTRACE_HDR_SIZE)
+       /* Underflow/overflow check */
+       ip_len = ntohs(ip->ip_len);
+       if (ip_len < mtrace_off || ip_len < MTRACE_HDR_SIZE
+           || ip_len > MTRACE_BUF_LEN)
                return -1;
 
-       if (mtrace_len > (int)MTRACE_BUF_LEN)
-               return -1;
+       mtrace_len = ip_len - mtrace_off;
+       mtrace = (struct igmp_mtrace *)(mtrace_buf + mtrace_off);
 
        sum = mtrace->checksum;
        mtrace->checksum = 0;