diff options
| author | Donald Sharp <sharpd@nvidia.com> | 2022-06-22 08:24:03 -0400 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2022-06-23 13:43:25 -0400 |
| commit | d9529c9fb11d7fabe6f6986761293358dc0baffe (patch) | |
| tree | 8b5f5856265a4e47d495f31c10ad2b039bf75eeb | |
| parent | 75700af6027073a2ede58b429ec49b6beb05dcb3 (diff) | |
ospf6d: Ensure that ospf6d does not memcpy beyond end of data
Ensure that received data size can fit into temp variable
that is used to dump data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
| -rw-r--r-- | ospf6d/ospf6_auth_trailer.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/ospf6d/ospf6_auth_trailer.c b/ospf6d/ospf6_auth_trailer.c index 77ac4a1877..e54f6784e8 100644 --- a/ospf6d/ospf6_auth_trailer.c +++ b/ospf6d/ospf6_auth_trailer.c @@ -120,7 +120,13 @@ void ospf6_auth_hdr_dump_recv(struct ospf6_header *ospfh, uint16_t length, ospf6_at_hdr = (struct ospf6_auth_hdr *)((uint8_t *)ospfh + oh_len); at_hdr_len = ntohs(ospf6_at_hdr->length); - hash_len = at_hdr_len - OSPF6_AUTH_HDR_MIN_SIZE; + hash_len = at_hdr_len - (uint16_t)OSPF6_AUTH_HDR_MIN_SIZE; + if (hash_len > KEYCHAIN_MAX_HASH_SIZE) { + zlog_debug( + "Specified value for hash_len %u is greater than expected %u", + hash_len, KEYCHAIN_MAX_HASH_SIZE); + return; + } memcpy(temp, ospf6_at_hdr->data, hash_len); temp[hash_len] = '\0'; zlog_debug("OSPF6 Authentication Trailer"); |