From 8128153ba40b3ee53dfa4a1f4c252635e6908596 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Thu, 12 May 2022 13:23:36 -0400 Subject: [PATCH] babeld: Check that bodylen is within some bounds of usable Coverity believed that the bodylen value was read directly from the incoming packet and then used as a loop variable. Unfortunately it missed the fact that in babel_packet_examin the bodylen was actually checked to ensure that it was long enough. So instead of checking it 2 times, generate it one time and let coverity figure it out from that. Signed-off-by: Donald Sharp --- babeld/message.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/babeld/message.c b/babeld/message.c index 559b8c4e4a..0ddfda8d7b 100644 --- a/babeld/message.c +++ b/babeld/message.c @@ -286,7 +286,7 @@ channels_len(unsigned char *channels) followed by a sequence of TLVs. TLVs of known types are also checked to meet minimum length constraints defined for each. Return 0 for no errors. */ static int -babel_packet_examin(const unsigned char *packet, int packetlen) +babel_packet_examin(const unsigned char *packet, int packetlen, int *blength) { int i = 0, bodylen; const unsigned char *message; @@ -323,6 +323,8 @@ babel_packet_examin(const unsigned char *packet, int packetlen) } i += len + 2; } + + *blength = bodylen; return 0; } @@ -356,7 +358,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, return; } - if (babel_packet_examin (packet, packetlen)) { + if (babel_packet_examin (packet, packetlen, &bodylen)) { flog_err(EC_BABEL_PACKET, "Received malformed packet on %s from %s.", ifp->name, format_address(from)); @@ -369,8 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp, return; } - DO_NTOHS(bodylen, packet + 2); - i = 0; while(i < bodylen) { message = packet + 4 + i; -- 2.39.5