ospfd: Limit possible message read to our buffer size

It's possible(but unlikely) that a read of data from the
network will give us bogus data.  Don't automatically
just trust the data size from the network and limit
the read to the size of the buffer we have in play.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c
index 1ace0977bc349cc7efae6dd246673db0a25ced26..7e7236a3b69eec3da9540a70e4708f0bf54ea379 100644 (file)
--- a/ospfd/ospf_api.c
+++ b/ospfd/ospf_api.c
@@ -353,8 +353,8 @@ struct msg *msg_read(int fd)
        struct msg *msg;
        struct apimsghdr hdr;
        uint8_t buf[OSPF_API_MAX_MSG_SIZE];
-       int bodylen;
-       int rlen;
+       ssize_t bodylen;
+       ssize_t rlen;
 
        /* Read message header */
        rlen = readn(fd, (uint8_t *)&hdr, sizeof(struct apimsghdr));
@@ -378,8 +378,13 @@ struct msg *msg_read(int fd)
 
        /* Determine body length. */
        bodylen = ntohs(hdr.msglen);
-       if (bodylen > 0) {
+       if (bodylen > (ssize_t)sizeof(buf)) {
+               zlog_warn("%s: Body Length of message greater than what we can read",
+                         __func__);
+               return NULL;
+       }
 
+       if (bodylen > 0) {
                /* Read message body */
                rlen = readn(fd, buf, bodylen);
                if (rlen < 0) {