Implements better checks on incoming packets and LSAs in OSPF.

author: Ondrej Zajicek <santiago@crfreenet.org> 2009-10-29 23:57:42 +0100
committer: Ondrej Zajicek <santiago@crfreenet.org> 2009-10-29 23:57:42 +0100
commit: a6bc04d59130c49a1dbfadffa4285b11e2ff4939 (patch)
tree: b5f453dc5fbe20204883149e1bc153905f356709 /proto/ospf/dbdes.c
parent: 9d4d38d1a5d67f5485d2b2fa439c879583dfdcb0 (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/proto/ospf/dbdes.c b/proto/ospf/dbdes.c
index c9d318c6..2cb2dd8d 100644
--- a/proto/ospf/dbdes.c
+++ b/proto/ospf/dbdes.c
@@ -53,7 +53,7 @@ static void ospf_dump_dbdes(struct proto *p, struct ospf_dbdes_packet *pkt)
   log(L_TRACE "%s:     ddseq    %u", p->name, ntohl(pkt->ddseq));
 
   struct ospf_lsa_header *plsa = (void *) (pkt + 1);
-  int i, j;
+  unsigned int i, j;
 
   j = (ntohs(op->length) - sizeof(struct ospf_dbdes_packet)) /
     sizeof(struct ospf_lsa_header);
@@ -247,11 +247,17 @@ void
 ospf_dbdes_receive(struct ospf_packet *ps_i, struct ospf_iface *ifa,
 		   struct ospf_neighbor *n)
 {
-  struct ospf_dbdes_packet *ps = (void *) ps_i;
   struct proto *p = &ifa->oa->po->proto;
   u32 myrid = p->cf->global->router_id;
-  unsigned int size = ntohs(ps->ospf_packet.length);
 
+  unsigned int size = ntohs(ps_i->length);
+  if (size < sizeof(struct ospf_dbdes_packet))
+  {
+    log(L_ERR "Bad OSPF DBDES packet from %I -  too short (%u B)", n->ip, size);
+    return;
+  }
+
+  struct ospf_dbdes_packet *ps = (void *) ps_i;
   u32 ps_ddseq = ntohl(ps->ddseq);
   u32 ps_options = ntoh_opt(ps->options);
author	Ondrej Zajicek <santiago@crfreenet.org>	2009-10-29 23:57:42 +0100
committer	Ondrej Zajicek <santiago@crfreenet.org>	2009-10-29 23:57:42 +0100
commit	a6bc04d59130c49a1dbfadffa4285b11e2ff4939 (patch)
tree	b5f453dc5fbe20204883149e1bc153905f356709 /proto/ospf/dbdes.c
parent	9d4d38d1a5d67f5485d2b2fa439c879583dfdcb0 (diff)