From 9ebc245ac4e0f943f040b325561b87d5a7a1a585 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Sat, 21 Dec 2019 21:02:15 -0500
Subject: [PATCH] pimd: fix missing igmp mtrace length check

We check that the IGMP message is sufficently sized for an mtrace query,
but not a response, leading to uninitialized stack read.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 pimd/pim_igmp_mtrace.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pimd/pim_igmp_mtrace.c b/pimd/pim_igmp_mtrace.c
index 0758e2f784..695d04c7c2 100644
--- a/pimd/pim_igmp_mtrace.c
+++ b/pimd/pim_igmp_mtrace.c
@@ -864,6 +864,16 @@ int igmp_mtrace_recv_response(struct igmp_sock *igmp, struct ip *ip_hdr,
 	pim_ifp = ifp->info;
 	pim = pim_ifp->pim;
 
+	if (igmp_msg_len < (int)sizeof(struct igmp_mtrace)) {
+		if (PIM_DEBUG_MTRACE)
+			zlog_warn(
+				"Recv mtrace packet from %s on %s: too short,"
+				" len=%d, min=%zu",
+				from_str, ifp->name, igmp_msg_len,
+				sizeof(struct igmp_mtrace));
+		return -1;
+	}
+
 	mtracep = (struct igmp_mtrace *)igmp_msg;
 
 	recv_checksum = mtracep->checksum;