mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-06 15:58:18 +00:00
ospfd: Limit possible message read to our buffer size
It's possible(but unlikely) that a read of data from the network will give us bogus data. Don't automatically just trust the data size from the network and limit the read to the size of the buffer we have in play. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
parent
58c3cdb922
commit
e1c511c694
@ -353,8 +353,8 @@ struct msg *msg_read(int fd)
|
||||
struct msg *msg;
|
||||
struct apimsghdr hdr;
|
||||
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
||||
int bodylen;
|
||||
int rlen;
|
||||
ssize_t bodylen;
|
||||
ssize_t rlen;
|
||||
|
||||
/* Read message header */
|
||||
rlen = readn(fd, (uint8_t *)&hdr, sizeof(struct apimsghdr));
|
||||
@ -378,8 +378,13 @@ struct msg *msg_read(int fd)
|
||||
|
||||
/* Determine body length. */
|
||||
bodylen = ntohs(hdr.msglen);
|
||||
if (bodylen > 0) {
|
||||
if (bodylen > (ssize_t)sizeof(buf)) {
|
||||
zlog_warn("%s: Body Length of message greater than what we can read",
|
||||
__func__);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (bodylen > 0) {
|
||||
/* Read message body */
|
||||
rlen = readn(fd, buf, bodylen);
|
||||
if (rlen < 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user