From: Rafael Zalamena <rzalamena@opensourcerouting.org>
Date: Wed, 7 Dec 2022 14:49:26 +0000 (-0300)
Subject: pimd: fix MSDP packet debug crashes
X-Git-Tag: base_8.5~173^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F12460%2Fhead;p=mirror%2Ffrr.git

pimd: fix MSDP packet debug crashes

Add some safe guards to avoid crashes and alert us about programming
errors in packet build.

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---

diff --git a/pimd/pim_msdp_packet.c b/pimd/pim_msdp_packet.c
index 9f0cba03c2..5230f6a332 100644
--- a/pimd/pim_msdp_packet.c
+++ b/pimd/pim_msdp_packet.c
@@ -83,10 +83,18 @@ static void pim_msdp_pkt_sa_dump_one(struct stream *s)
 
 static void pim_msdp_pkt_sa_dump(struct stream *s)
 {
+	const size_t header_length = PIM_MSDP_SA_X_SIZE - PIM_MSDP_HEADER_SIZE;
+	size_t payload_length;
 	int entry_cnt;
 	int i;
 	struct in_addr rp; /* Last RP address associated with this SA */
 
+	if (header_length > STREAM_READABLE(s)) {
+		zlog_err("BUG MSDP SA bad header (readable %zu expected %zu)",
+			 STREAM_READABLE(s), header_length);
+		return;
+	}
+
 	entry_cnt = stream_getc(s);
 	rp.s_addr = stream_get_ipv4(s);
 
@@ -96,6 +104,13 @@ static void pim_msdp_pkt_sa_dump(struct stream *s)
 		zlog_debug("  entry_cnt %d rp %s", entry_cnt, rp_str);
 	}
 
+	payload_length = (size_t)entry_cnt * PIM_MSDP_SA_ONE_ENTRY_SIZE;
+	if (payload_length > STREAM_READABLE(s)) {
+		zlog_err("BUG MSDP SA bad length (readable %zu expected %zu)",
+			 STREAM_READABLE(s), payload_length);
+		return;
+	}
+
 	/* dump SAs */
 	for (i = 0; i < entry_cnt; ++i) {
 		pim_msdp_pkt_sa_dump_one(s);
@@ -116,6 +131,11 @@ static void pim_msdp_pkt_dump(struct pim_msdp_peer *mp, int type, int len,
 		return;
 	}
 
+	if (len < PIM_MSDP_HEADER_SIZE) {
+		zlog_err("invalid MSDP header length");
+		return;
+	}
+
 	switch (type) {
 	case PIM_MSDP_V4_SOURCE_ACTIVE:
 		pim_msdp_pkt_sa_dump(s);