diff options
| author | paco <paco@voltanet.io> | 2018-06-25 11:19:55 +0200 |
|---|---|---|
| committer | paco <paco@voltanet.io> | 2018-06-25 11:22:20 +0200 |
| commit | c23bc38a9fdc5d5bffe14372a18c91d78e53e60a (patch) | |
| tree | 05e2324c8a680873a989b81b1458d713b875220e /ospfd/ospf_api.c | |
| parent | 3a743cb7ec5fd1e91e0803487c606cf63e54c22b (diff) | |
ospfd: OoB access (Coverity 1221445 1221448)
Signed-off-by: F. Aragon <paco@voltanet.io>
Diffstat (limited to 'ospfd/ospf_api.c')
| -rw-r--r-- | ospfd/ospf_api.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c index 8369dde822..b1175a2f68 100644 --- a/ospfd/ospf_api.c +++ b/ospfd/ospf_api.c @@ -510,17 +510,18 @@ struct msg *new_msg_originate_request(uint32_t seqnum, struct in_addr ifaddr, struct msg_originate_request *omsg; unsigned int omsglen; char buf[OSPF_API_MAX_MSG_SIZE]; + size_t off_data = offsetof(struct msg_originate_request, data); + size_t data_maxs = sizeof(buf) - off_data; + struct lsa_header *omsg_data = (struct lsa_header *)&buf[off_data]; omsg = (struct msg_originate_request *)buf; omsg->ifaddr = ifaddr; omsg->area_id = area_id; omsglen = ntohs(data->length); - if (omsglen - > sizeof(buf) - offsetof(struct msg_originate_request, data)) - omsglen = sizeof(buf) - - offsetof(struct msg_originate_request, data); - memcpy(&omsg->data, data, omsglen); + if (omsglen > data_maxs) + omsglen = data_maxs; + memcpy(omsg_data, data, omsglen); omsglen += sizeof(struct msg_originate_request) - sizeof(struct lsa_header); @@ -630,6 +631,9 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum, uint8_t buf[OSPF_API_MAX_MSG_SIZE]; struct msg_lsa_change_notify *nmsg; unsigned int len; + size_t off_data = offsetof(struct msg_lsa_change_notify, data); + size_t data_maxs = sizeof(buf) - off_data; + struct lsa_header *nmsg_data = (struct lsa_header *)&buf[off_data]; assert(data); @@ -640,10 +644,9 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum, memset(&nmsg->pad, 0, sizeof(nmsg->pad)); len = ntohs(data->length); - if (len > sizeof(buf) - offsetof(struct msg_lsa_change_notify, data)) - len = sizeof(buf) - - offsetof(struct msg_lsa_change_notify, data); - memcpy(&nmsg->data, data, len); + if (len > data_maxs) + len = data_maxs; + memcpy(nmsg_data, data, len); len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header); return msg_new(msgtype, nmsg, seqnum, len); |