pimd: readd iph length checks

Kernel might not hand us a bad packet, but better safe than sorry here.
Validate the IP header length field. Also adds an additional check that
the packet length is sufficient for an IGMP packet, and a check that we
actually have enough for an ip header at all.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c
index 7dfd26ea655d9c67662c5510ebf0313c15876223..d87cea0d357fcc9d4b701c544b5d5b2353a35b41 100644 (file)
--- a/pimd/pim_igmp.c
+++ b/pimd/pim_igmp.c
@@ -478,10 +478,24 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len)
                        ip_hdr->ip_p);
        }
 
+       if (ip_hlen > len) {
+               zlog_warn(
+                       "IGMP packet header claims size %zu, but we only have %zu bytes",
+                       ip_hlen, len);
+               return -1;
+       }
+
        igmp_msg = buf + ip_hlen;
-       msg_type = *igmp_msg;
        igmp_msg_len = len - ip_hlen;
 
+       if (igmp_msg_len < PIM_IGMP_MIN_LEN) {
+               zlog_warn("IGMP message size=%d shorter than minimum=%d",
+                         igmp_msg_len, PIM_IGMP_MIN_LEN);
+               return -1;
+       }
+
+       msg_type = *igmp_msg;
+
        if (PIM_DEBUG_IGMP_PACKETS) {
                zlog_debug(
                        "Recv IGMP packet from %s to %s on %s: ttl=%d msg_type=%d msg_size=%d",
@@ -489,12 +503,6 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len)
                        msg_type, igmp_msg_len);
        }
 
-       if (igmp_msg_len < PIM_IGMP_MIN_LEN) {
-               zlog_warn("IGMP message size=%d shorter than minimum=%d",
-                         igmp_msg_len, PIM_IGMP_MIN_LEN);
-               return -1;
-       }
-
        switch (msg_type) {
        case PIM_IGMP_MEMBERSHIP_QUERY: {
                int max_resp_code = igmp_msg[1];

diff --git a/pimd/pim_mroute.c b/pimd/pim_mroute.c
index f7f4b54aead1ff25f8cf70d83f7446ad5af54f27..6472de42d46c21143cfd51fbafcda7370b12dd3a 100644 (file)
--- a/pimd/pim_mroute.c
+++ b/pimd/pim_mroute.c
@@ -585,6 +585,9 @@ static int pim_mroute_msg(struct pim_instance *pim, const char *buf,
        struct in_addr ifaddr;
        struct igmp_sock *igmp;
 
+       if (buf_size < (int)sizeof(struct ip))
+               return 0;
+
        ip_hdr = (const struct ip *)buf;
 
        if (ip_hdr->ip_p == IPPROTO_IGMP) {