Merge pull request #5549 from donaldsharp/automated

[mirror_frr.git] / ospfd / ospf_packet.c

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 80ffc3f36102e40e7d83bd70d415cc47a6dd9b07..95fb694925a3d1eb090bafb274563541d241257d 100644 (file)
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2318,8 +2318,7 @@ static struct stream *ospf_recv_packet(struct ospf *ospf, int fd,
                                  safe_strerror(errno));
                return NULL;
        }
-       if ((unsigned int)ret < sizeof(iph)) /* ret must be > 0 now */
-       {
+       if ((unsigned int)ret < sizeof(struct ip)) {
                flog_warn(
                        EC_OSPF_PACKET,
                        "ospf_recv_packet: discarding runt packet of length %d "
@@ -3001,11 +3000,23 @@ static enum ospf_read_return_enum ospf_read_helper(struct ospf *ospf)
                return OSPF_READ_CONTINUE;
        }
 
-       /*
-        * Advance from IP header to OSPF header (iph->ip_hl has
-        * been verified by ospf_recv_packet() to be correct).
-        */
-       stream_forward_getp(ibuf, iph->ip_hl * 4);
+       /* Check that we have enough for an IP header */
+       if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) {
+               if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "Rx'd IP packet with OSPF protocol number but no payload");
+               } else {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "IP header length field claims header is %u bytes, but we only have %zu",
+                               (unsigned int)(iph->ip_hl << 2),
+                               STREAM_READABLE(ibuf));
+               }
+
+               return OSPF_READ_ERROR;
+       }
+       stream_forward_getp(ibuf, iph->ip_hl << 2);
 
        ospfh = (struct ospf_header *)stream_pnt(ibuf);
        if (MSG_OK