Merge pull request #10504 from qingkaishi/master

babeld: fix the checks for truncated packets
author: Donald Sharp <donaldsharp72@gmail.com> 2022-02-08 10:10:52 -0500
committer: GitHub <noreply@github.com> 2022-02-08 10:10:52 -0500
commit: fd554dd29890cbb1a7b9410a53d00e7ebb4edc38 (patch)
tree: 3d2c3e32828e1e3745344e68caa144c6874d2ac7 /babeld
parent: 107f77b56f1bf4bc4b82668c738f1ff12b3967fb (diff)
parent: c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 (diff)
1 files changed, 10 insertions, 10 deletions
diff --git a/babeld/message.c b/babeld/message.c
index 3a29b6a60f..559b8c4e4a 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
             continue;
         }
 
-        if(i + 1 > alen) {
+        if(i + 1 >= alen) {
             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
             return;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
             return;
         }
@@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
     int type, len, i = 0, ret = 0;
 
     while(i < alen) {
-        type = a[0];
+        type = a[i];
         if(type == SUBTLV_PAD1) {
             i++;
             continue;
         }
 
-        if(i + 1 > alen) {
+        if(i + 1 >= alen) {
             flog_err(EC_BABEL_PACKET,
 		      "Received truncated sub-TLV on Hello message.");
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             flog_err(EC_BABEL_PACKET,
 		      "Received truncated sub-TLV on Hello message.");
             return -1;
@@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
     int type, len, i = 0, ret = 0;
 
     while(i < alen) {
-        type = a[0];
+        type = a[i];
         if(type == SUBTLV_PAD1) {
             i++;
             continue;
         }
 
-        if(i + 1 > alen) {
+        if(i + 1 >= alen) {
             flog_err(EC_BABEL_PACKET,
 		      "Received truncated sub-TLV on IHU message.");
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             flog_err(EC_BABEL_PACKET,
 		      "Received truncated sub-TLV on IHU message.");
             return -1;
@@ -307,12 +307,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
             i++;
             continue;
         }
-        if(i + 1 > bodylen) {
+        if(i + 2 > bodylen) {
             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
             return 1;
         }
         len = message[1];
-        if(i + len > bodylen) {
+        if(i + len + 2 > bodylen) {
             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
             return 1;
         }
author	Donald Sharp <donaldsharp72@gmail.com>	2022-02-08 10:10:52 -0500
committer	GitHub <noreply@github.com>	2022-02-08 10:10:52 -0500
commit	fd554dd29890cbb1a7b9410a53d00e7ebb4edc38 (patch)
tree	3d2c3e32828e1e3745344e68caa144c6874d2ac7 /babeld
parent	107f77b56f1bf4bc4b82668c738f1ff12b3967fb (diff)
parent	c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 (diff)