summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--pimd/pim_msdp_packet.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/pimd/pim_msdp_packet.c b/pimd/pim_msdp_packet.c
index 9f0cba03c2..5230f6a332 100644
--- a/pimd/pim_msdp_packet.c
+++ b/pimd/pim_msdp_packet.c
@@ -83,10 +83,18 @@ static void pim_msdp_pkt_sa_dump_one(struct stream *s)
static void pim_msdp_pkt_sa_dump(struct stream *s)
{
+ const size_t header_length = PIM_MSDP_SA_X_SIZE - PIM_MSDP_HEADER_SIZE;
+ size_t payload_length;
int entry_cnt;
int i;
struct in_addr rp; /* Last RP address associated with this SA */
+ if (header_length > STREAM_READABLE(s)) {
+ zlog_err("BUG MSDP SA bad header (readable %zu expected %zu)",
+ STREAM_READABLE(s), header_length);
+ return;
+ }
+
entry_cnt = stream_getc(s);
rp.s_addr = stream_get_ipv4(s);
@@ -96,6 +104,13 @@ static void pim_msdp_pkt_sa_dump(struct stream *s)
zlog_debug(" entry_cnt %d rp %s", entry_cnt, rp_str);
}
+ payload_length = (size_t)entry_cnt * PIM_MSDP_SA_ONE_ENTRY_SIZE;
+ if (payload_length > STREAM_READABLE(s)) {
+ zlog_err("BUG MSDP SA bad length (readable %zu expected %zu)",
+ STREAM_READABLE(s), payload_length);
+ return;
+ }
+
/* dump SAs */
for (i = 0; i < entry_cnt; ++i) {
pim_msdp_pkt_sa_dump_one(s);
@@ -116,6 +131,11 @@ static void pim_msdp_pkt_dump(struct pim_msdp_peer *mp, int type, int len,
return;
}
+ if (len < PIM_MSDP_HEADER_SIZE) {
+ zlog_err("invalid MSDP header length");
+ return;
+ }
+
switch (type) {
case PIM_MSDP_V4_SOURCE_ACTIVE:
pim_msdp_pkt_sa_dump(s);