Merge pull request #10494 from whichbug/fix#10487

babeld: add a check for truncated packets
2025-08-14 08:50:26 +00:00 · 2022-02-06 20:55:26 +03:00 · 2022-02-06 20:55:26 +03:00 · b223651ff6
commit b223651ff6
parent eef8006341 50044ec7fe
1 changed files with 6 additions and 7 deletions
--- a/babeld/message.c
+++ b/babeld/message.c
@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
 static int
 babel_packet_examin(const unsigned char *packet, int packetlen)
 {
-    unsigned i = 0, bodylen;
+    int i = 0, bodylen;
    const unsigned char *message;
    unsigned char type, len;

    if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
        return 1;
    DO_NTOHS(bodylen, packet + 2);
+    if(bodylen + 4 > packetlen) {
+        debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
+                 bodylen, packetlen);
+        return 1;
+    }
    while (i < bodylen){
        message = packet + 4 + i;
        type = message[0];
@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,

    DO_NTOHS(bodylen, packet + 2);

-    if(bodylen + 4 > packetlen) {
-        flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
-                 bodylen, packetlen);
-        bodylen = packetlen - 4;
-    }
-
    i = 0;
    while(i < bodylen) {
        message = packet + 4 + i;