From: whichbug <whichbug@github.com>
Date: Thu, 3 Feb 2022 17:01:31 +0000 (-0500)
Subject: babeld: fix #10487 by adding a check on packet length
X-Git-Tag: pim6-testing-20220430~367^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F10494%2Fhead;p=mirror%2Ffrr.git

babeld: fix #10487 by adding a check on packet length

The body length of a packet should satisfy the condition:
packetlen >= bodylen + 4. Otherwise, heap overflows may happen.

Signed-off-by: whichbug <whichbug@github.com>
---

diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b3..3a29b6a60f 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
 static int
 babel_packet_examin(const unsigned char *packet, int packetlen)
 {
-    unsigned i = 0, bodylen;
+    int i = 0, bodylen;
     const unsigned char *message;
     unsigned char type, len;
 
     if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
         return 1;
     DO_NTOHS(bodylen, packet + 2);
+    if(bodylen + 4 > packetlen) {
+        debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
+                 bodylen, packetlen);
+        return 1;
+    }
     while (i < bodylen){
         message = packet + 4 + i;
         type = message[0];
@@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
 
     DO_NTOHS(bodylen, packet + 2);
 
-    if(bodylen + 4 > packetlen) {
-        flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
-                 bodylen, packetlen);
-        bodylen = packetlen - 4;
-    }
-
     i = 0;
     while(i < bodylen) {
         message = packet + 4 + i;