ospfd: Limit possible message read to our buffer size

It's possible(but unlikely) that a read of data from the network will give us bogus data. Don't automatically just trust the data size from the network and limit the read to the size of the buffer we have in play. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
author: Donald Sharp <sharpd@cumulusnetworks.com> 2020-04-21 08:09:58 -0400
committer: Donald Sharp <sharpd@cumulusnetworks.com> 2020-04-22 07:31:07 -0400
commit: e1c511c6944673a9d0bdeceb4b5985b3afe29b1a (patch)
tree: 5a78223f4ea51df507cf70fd5abfeb3fe9648de0 /ospfd/ospf_api.c
parent: 58c3cdb922004056225a46cfde5bd6c36850bebd (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c
index 1ace0977bc..7e7236a3b6 100644
--- a/ospfd/ospf_api.c
+++ b/ospfd/ospf_api.c
@@ -353,8 +353,8 @@ struct msg *msg_read(int fd)
 	struct msg *msg;
 	struct apimsghdr hdr;
 	uint8_t buf[OSPF_API_MAX_MSG_SIZE];
-	int bodylen;
-	int rlen;
+	ssize_t bodylen;
+	ssize_t rlen;
 
 	/* Read message header */
 	rlen = readn(fd, (uint8_t *)&hdr, sizeof(struct apimsghdr));
@@ -378,8 +378,13 @@ struct msg *msg_read(int fd)
 
 	/* Determine body length. */
 	bodylen = ntohs(hdr.msglen);
-	if (bodylen > 0) {
+	if (bodylen > (ssize_t)sizeof(buf)) {
+		zlog_warn("%s: Body Length of message greater than what we can read",
+			  __func__);
+		return NULL;
+	}
 
+	if (bodylen > 0) {
 		/* Read message body */
 		rlen = readn(fd, buf, bodylen);
 		if (rlen < 0) {
author	Donald Sharp <sharpd@cumulusnetworks.com>	2020-04-21 08:09:58 -0400
committer	Donald Sharp <sharpd@cumulusnetworks.com>	2020-04-22 07:31:07 -0400
commit	e1c511c6944673a9d0bdeceb4b5985b3afe29b1a (patch)
tree	5a78223f4ea51df507cf70fd5abfeb3fe9648de0 /ospfd/ospf_api.c
parent	58c3cdb922004056225a46cfde5bd6c36850bebd (diff)