From c23bc38a9fdc5d5bffe14372a18c91d78e53e60a Mon Sep 17 00:00:00 2001
From: paco <paco@voltanet.io>
Date: Mon, 25 Jun 2018 11:19:55 +0200
Subject: [PATCH] ospfd: OoB access (Coverity 1221445 1221448)

Signed-off-by: F. Aragon <paco@voltanet.io>
---
 ospfd/ospf_api.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c
index 8369dde822..b1175a2f68 100644
--- a/ospfd/ospf_api.c
+++ b/ospfd/ospf_api.c
@@ -510,17 +510,18 @@ struct msg *new_msg_originate_request(uint32_t seqnum, struct in_addr ifaddr,
 	struct msg_originate_request *omsg;
 	unsigned int omsglen;
 	char buf[OSPF_API_MAX_MSG_SIZE];
+	size_t off_data = offsetof(struct msg_originate_request, data);
+	size_t data_maxs = sizeof(buf) - off_data;
+	struct lsa_header *omsg_data = (struct lsa_header *)&buf[off_data];
 
 	omsg = (struct msg_originate_request *)buf;
 	omsg->ifaddr = ifaddr;
 	omsg->area_id = area_id;
 
 	omsglen = ntohs(data->length);
-	if (omsglen
-	    > sizeof(buf) - offsetof(struct msg_originate_request, data))
-		omsglen = sizeof(buf)
-			  - offsetof(struct msg_originate_request, data);
-	memcpy(&omsg->data, data, omsglen);
+	if (omsglen > data_maxs)
+		omsglen = data_maxs;
+	memcpy(omsg_data, data, omsglen);
 	omsglen += sizeof(struct msg_originate_request)
 		   - sizeof(struct lsa_header);
 
@@ -630,6 +631,9 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum,
 	uint8_t buf[OSPF_API_MAX_MSG_SIZE];
 	struct msg_lsa_change_notify *nmsg;
 	unsigned int len;
+	size_t off_data = offsetof(struct msg_lsa_change_notify, data);
+	size_t data_maxs = sizeof(buf) - off_data;
+	struct lsa_header *nmsg_data = (struct lsa_header *)&buf[off_data];
 
 	assert(data);
 
@@ -640,10 +644,9 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum,
 	memset(&nmsg->pad, 0, sizeof(nmsg->pad));
 
 	len = ntohs(data->length);
-	if (len > sizeof(buf) - offsetof(struct msg_lsa_change_notify, data))
-		len = sizeof(buf)
-		      - offsetof(struct msg_lsa_change_notify, data);
-	memcpy(&nmsg->data, data, len);
+	if (len > data_maxs)
+		len = data_maxs;
+	memcpy(nmsg_data, data, len);
 	len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header);
 
 	return msg_new(msgtype, nmsg, seqnum, len);
-- 
2.39.5