From 01e3c3764deda6af62af1baa13b195af7672947e Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Thu, 12 Dec 2019 00:09:39 -0500 Subject: [PATCH] ospfd: fix misplaced trust in ip header length We actually don't validate the IHL field, although it certainly looks like we do at a casual glance. This patch saves us from an assert in case we actually do get an IP packet with an incorrect header length field. Signed-off-by: Quentin Young --- ospfd/ospf_packet.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 80ffc3f361..0d520f8b0a 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -3001,11 +3001,23 @@ static enum ospf_read_return_enum ospf_read_helper(struct ospf *ospf) return OSPF_READ_CONTINUE; } - /* - * Advance from IP header to OSPF header (iph->ip_hl has - * been verified by ospf_recv_packet() to be correct). - */ - stream_forward_getp(ibuf, iph->ip_hl * 4); + /* Check that we have enough for an IP header */ + if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) { + if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) { + flog_warn( + EC_OSPF_PACKET, + "Rx'd IP packet with OSPF protocol number but no payload"); + } else { + flog_warn( + EC_OSPF_PACKET, + "IP header length field claims header is %u bytes, but we only have %zu", + (unsigned int)(iph->ip_hl << 2), + STREAM_READABLE(ibuf)); + } + + return OSPF_READ_ERROR; + } + stream_forward_getp(ibuf, iph->ip_hl << 2); ospfh = (struct ospf_header *)stream_pnt(ibuf); if (MSG_OK -- 2.39.5