nhrpd: offset value not checked for min size

If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 3a74b756961b9ee943ba2894b55af84d3eaf1bfc..c5e985cdacad37b1167fda62996b3908ffa07996 100644 (file)
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -896,8 +896,10 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
 
        extoff = htons(hdr->extension_offset);
        if (extoff) {
-               if (extoff >= realsize) {
-                       info = "extoff larger than packet";
+               assert(zb->head > zb->buf);
+               uint32_t header_offset = zb->head - zb->buf;
+               if ((extoff >= realsize) || (extoff < (header_offset))) {
+                       info = "extoff larger than packet, or smaller than header";
                        goto drop;
                }
                paylen = extoff - (zb->head - zb->buf);