proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-04-28 17:01:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

babeld: Check that bodylen is within some bounds of usable

Browse Source 
Coverity believed that the bodylen value was read directly
from the incoming packet and then used as a loop variable.
Unfortunately it missed the fact that in babel_packet_examin
the bodylen was actually checked to ensure that it was long
enough.  So instead of checking it 2 times, generate it one
time and let coverity figure it out from that.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
This commit is contained in:
Donald Sharp 2022-05-12 13:23:36 -04:00
parent 601db492b8
commit 8128153ba4
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
babeld/message.c
View File

@ -286,7 +286,7 @@ channels_len(unsigned char *channels)
followed by a sequence of TLVs. TLVs of known types are also checked to meet
minimum length constraints defined for each. Return 0 for no errors. */
static int
babel_packet_examin(const unsigned char *packet, int packetlen)
babel_packet_examin(const unsigned char *packet, int packetlen, int *blength)
{
int i = 0, bodylen;
const unsigned char *message;
@ -323,6 +323,8 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
}
i += len + 2;
}
*blength = bodylen;
return 0;
}
@ -356,7 +358,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
return;
}
if (babel_packet_examin (packet, packetlen)) {
if (babel_packet_examin (packet, packetlen, &bodylen)) {
flog_err(EC_BABEL_PACKET,
"Received malformed packet on %s from %s.",
ifp->name, format_address(from));
@ -369,8 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
return;
}
DO_NTOHS(bodylen, packet + 2);
i = 0;
while(i < bodylen) {
message = packet + 4 + i;