diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c index 73dcdbddb4..477cf991b4 100644 --- a/pimd/pim_igmp.c +++ b/pimd/pim_igmp.c @@ -469,6 +469,45 @@ static int igmp_v1_recv_report(struct igmp_sock *igmp, struct in_addr from, return 0; } +bool pim_igmp_verify_header(struct ip *ip_hdr, size_t len, int igmp_msg_len, + int msg_type) +{ + if (len < sizeof(*ip_hdr)) { + zlog_warn("IGMP packet size=%zu shorter than minimum=%zu", len, + sizeof(*ip_hdr)); + return false; + } + + if (igmp_msg_len < PIM_IGMP_MIN_LEN) { + zlog_warn("IGMP message size=%d shorter than minimum=%d", + igmp_msg_len, PIM_IGMP_MIN_LEN); + return false; + } + + if ((msg_type != PIM_IGMP_MTRACE_RESPONSE) + && (msg_type != PIM_IGMP_MTRACE_QUERY_REQUEST)) { + if (ip_hdr->ip_ttl != 1) { + zlog_warn( + "Recv IGMP packet with invalid ttl=%u, discarding the packet", + ip_hdr->ip_ttl); + return -1; + } + } + + if ((msg_type == PIM_IGMP_V3_MEMBERSHIP_REPORT) + || ((msg_type == PIM_IGMP_MEMBERSHIP_QUERY) + && (igmp_msg_len >= IGMP_V3_SOURCES_OFFSET))) { + /* All IGMPv3 messages must be received with TOS set to 0xC0*/ + if (ip_hdr->ip_tos != IPTOS_PREC_INTERNETCONTROL) { + zlog_warn("Received IGMP Packet with invalid TOS %u", + ip_hdr->ip_tos); + return -1; + } + } + + return true; +} + int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) { struct ip *ip_hdr; @@ -479,17 +518,8 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) char from_str[INET_ADDRSTRLEN]; char to_str[INET_ADDRSTRLEN]; - if (len < sizeof(*ip_hdr)) { - zlog_warn("IGMP packet size=%zu shorter than minimum=%zu", len, - sizeof(*ip_hdr)); - return -1; - } - ip_hdr = (struct ip *)buf; - pim_inet4_dump("", ip_hdr->ip_src, from_str, sizeof(from_str)); - pim_inet4_dump("", ip_hdr->ip_dst, to_str, sizeof(to_str)); - ip_hlen = ip_hdr->ip_hl << 2; /* ip_hl gives length in 4-byte words */ if (ip_hlen > len) { @@ -501,15 +531,11 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) igmp_msg = buf + ip_hlen; igmp_msg_len = len - ip_hlen; - - if (igmp_msg_len < PIM_IGMP_MIN_LEN) { - zlog_warn("IGMP message size=%d shorter than minimum=%d", - igmp_msg_len, PIM_IGMP_MIN_LEN); - return -1; - } - msg_type = *igmp_msg; + pim_inet4_dump("", ip_hdr->ip_src, from_str, sizeof(from_str)); + pim_inet4_dump("", ip_hdr->ip_dst, to_str, sizeof(to_str)); + if (PIM_DEBUG_IGMP_PACKETS) { zlog_debug( "Recv IGMP packet from %s to %s on %s: size=%zu ttl=%d msg_type=%d msg_size=%d", @@ -517,6 +543,14 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) msg_type, igmp_msg_len); } + if (!pim_igmp_verify_header(ip_hdr, len, igmp_msg_len, msg_type)) { + zlog_warn( + "Recv IGMP packet from %s to %s on %s: size=%zu ttl=%u msg_type=%d msg_size=%d", + from_str, to_str, igmp->interface->name, len, + ip_hdr->ip_ttl, msg_type, igmp_msg_len); + return -1; + } + switch (msg_type) { case PIM_IGMP_MEMBERSHIP_QUERY: { int max_resp_code = igmp_msg[1]; diff --git a/pimd/pim_igmp.h b/pimd/pim_igmp.h index a0681128c0..88324b7937 100644 --- a/pimd/pim_igmp.h +++ b/pimd/pim_igmp.h @@ -116,7 +116,8 @@ void igmp_sock_delete(struct igmp_sock *igmp); void igmp_sock_free(struct igmp_sock *igmp); void igmp_sock_delete_all(struct interface *ifp); int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len); - +bool pim_igmp_verify_header(struct ip *ip_hdr, size_t len, int igmp_msg_len, + int msg_type); void pim_igmp_general_query_on(struct igmp_sock *igmp); void pim_igmp_general_query_off(struct igmp_sock *igmp); void pim_igmp_other_querier_timer_on(struct igmp_sock *igmp);