pimd: fix missing igmp mtrace length check

We check that the IGMP message is sufficently sized for an mtrace query, but not a response, leading to uninitialized stack read. Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
author: Quentin Young <qlyoung@cumulusnetworks.com> 2019-12-21 21:02:15 -0500
committer: Quentin Young <qlyoung@cumulusnetworks.com> 2019-12-21 21:02:15 -0500
commit: 9ebc245ac4e0f943f040b325561b87d5a7a1a585 (patch)
tree: 05583734a7f89a6a770768fd57b4d3f999a319bf /pimd/pim_igmp_mtrace.c
parent: 7809d22aa2d4b9be6fd9b6c0287c8174e8d8a263 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/pimd/pim_igmp_mtrace.c b/pimd/pim_igmp_mtrace.c
index 0758e2f784..695d04c7c2 100644
--- a/pimd/pim_igmp_mtrace.c
+++ b/pimd/pim_igmp_mtrace.c
@@ -864,6 +864,16 @@ int igmp_mtrace_recv_response(struct igmp_sock *igmp, struct ip *ip_hdr,
 	pim_ifp = ifp->info;
 	pim = pim_ifp->pim;
 
+	if (igmp_msg_len < (int)sizeof(struct igmp_mtrace)) {
+		if (PIM_DEBUG_MTRACE)
+			zlog_warn(
+				"Recv mtrace packet from %s on %s: too short,"
+				" len=%d, min=%zu",
+				from_str, ifp->name, igmp_msg_len,
+				sizeof(struct igmp_mtrace));
+		return -1;
+	}
+
 	mtracep = (struct igmp_mtrace *)igmp_msg;
 
 	recv_checksum = mtracep->checksum;
author	Quentin Young <qlyoung@cumulusnetworks.com>	2019-12-21 21:02:15 -0500
committer	Quentin Young <qlyoung@cumulusnetworks.com>	2019-12-21 21:02:15 -0500
commit	9ebc245ac4e0f943f040b325561b87d5a7a1a585 (patch)
tree	05583734a7f89a6a770768fd57b4d3f999a319bf /pimd/pim_igmp_mtrace.c
parent	7809d22aa2d4b9be6fd9b6c0287c8174e8d8a263 (diff)