From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Fri, 21 Feb 2020 04:20:27 +0000 (-0500)
Subject: pim: random fuzzing fixes
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=e6cfcca416767d2bd1ddef47d43f88590ca41e7d;p=mirror%2Ffrr.git

pim: random fuzzing fixes

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---

diff --git a/pimd/pim_neighbor.c b/pimd/pim_neighbor.c
index 571173c62a..b2dfc309da 100644
--- a/pimd/pim_neighbor.c
+++ b/pimd/pim_neighbor.c
@@ -626,15 +626,15 @@ void pim_neighbor_delete(struct interface *ifp, struct pim_neighbor *neigh,
 	if (!PIM_OPTION_IS_SET(neigh->hello_options,
 			       PIM_OPTION_MASK_LAN_PRUNE_DELAY)) {
 		/* update num. of neighbors without hello option lan_delay */
-
-		--pim_ifp->pim_number_of_nonlandelay_neighbors;
+		pim_ifp->pim_number_of_nonlandelay_neighbors = MAX(
+			pim_ifp->pim_number_of_nonlandelay_neighbors - 1, 0);
 	}
 
 	if (!PIM_OPTION_IS_SET(neigh->hello_options,
 			       PIM_OPTION_MASK_DR_PRIORITY)) {
 		/* update num. of neighbors without dr_pri */
-
-		--pim_ifp->pim_dr_num_nondrpri_neighbors;
+		pim_ifp->pim_dr_num_nondrpri_neighbors =
+			MAX(pim_ifp->pim_dr_num_nondrpri_neighbors - 1, 0);
 	}
 
 	assert(neigh->propagation_delay_msec
diff --git a/pimd/pim_register.c b/pimd/pim_register.c
index e2538da36f..8047a93a71 100644
--- a/pimd/pim_register.c
+++ b/pimd/pim_register.c
@@ -325,6 +325,11 @@ int pim_register_recv(struct interface *ifp, struct in_addr dest_addr,
 	struct pim_instance *pim = pim_ifp->pim;
 
 #define PIM_MSG_REGISTER_BIT_RESERVED_LEN 4
+
+	if (tlv_buf_size
+	    < (int)(PIM_MSG_REGISTER_BIT_RESERVED_LEN + sizeof(struct ip))) {
+		return 0;
+	}
 	ip_hdr = (struct ip *)(tlv_buf + PIM_MSG_REGISTER_BIT_RESERVED_LEN);
 
 	if (!pim_rp_check_is_my_ip_address(pim, dest_addr)) {