Merge pull request #5430 from taruta811/build-docker-centos

[mirror_frr.git] / pimd / pim_bsm.c

diff --git a/pimd/pim_bsm.c b/pimd/pim_bsm.c
index 62f13b5b534199ee90ee20f7ebd4be714594ddb6..4a69e4d1abc43f2d050480582be5f5b97fc4b5a3 100644 (file)
--- a/pimd/pim_bsm.c
+++ b/pimd/pim_bsm.c
@@ -290,8 +290,7 @@ void pim_bsm_proc_free(struct pim_instance *pim)
                pim_free_bsgrp_data(bsgrp);
        }
 
-       if (pim->global_scope.bsrp_table)
-               route_table_finish(pim->global_scope.bsrp_table);
+       route_table_finish(pim->global_scope.bsrp_table);
 }
 
 static bool is_hold_time_elapsed(void *data)
@@ -683,8 +682,13 @@ static bool pim_bsm_send_intf(uint8_t *buf, int len, struct interface *ifp,
                return false;
        }
 
-       pim_msg_send(pim_ifp->pim_sock_fd, pim_ifp->primary_address, dst_addr,
-                    buf, len, ifp->name);
+       if (pim_msg_send(pim_ifp->pim_sock_fd, pim_ifp->primary_address,
+                        dst_addr, buf, len, ifp->name)) {
+               zlog_warn("%s: Could not send BSM message on interface: %s",
+                         __PRETTY_FUNCTION__, ifp->name);
+               return false;
+       }
+
        pim_ifp->pim_ifstat_bsm_tx++;
        pim_ifp->pim->bsm_sent++;
        return true;
@@ -711,11 +715,11 @@ static bool pim_bsm_frag_send(uint8_t *buf, uint32_t len, struct interface *ifp,
        /* MTU  passed here is PIM MTU (IP MTU less IP Hdr) */
        if (pim_mtu < (PIM_MIN_BSM_LEN)) {
                zlog_warn(
-                       "%s: mtu(pim mtu: %d) size less than minimum bootsrap len",
+                       "%s: mtu(pim mtu: %d) size less than minimum bootstrap len",
                        __PRETTY_FUNCTION__, pim_mtu);
                if (PIM_DEBUG_BSM)
                        zlog_debug(
-                               "%s: mtu (pim mtu:%d) less than minimum bootsrap len",
+                               "%s: mtu (pim mtu:%d) less than minimum bootstrap len",
                                __PRETTY_FUNCTION__, pim_mtu);
                return false;
        }
@@ -1028,7 +1032,8 @@ static uint32_t hash_calc_on_grp_rp(struct prefix group, struct in_addr rp,
        else
                grpaddr = grpaddr & mask;
        rp_add = ntohl(rp.s_addr);
-       temp = 1103515245 * ((1103515245 * grpaddr + 12345) ^ rp_add) + 12345;
+       temp = 1103515245 * ((1103515245 * (uint64_t)grpaddr + 12345) ^ rp_add)
+              + 12345;
        hash = temp & (0x7fffffff);
        return hash;
 }
@@ -1106,6 +1111,13 @@ static bool pim_bsm_parse_install_g2rp(struct bsm_scope *scope, uint8_t *buf,
        int ins_count = 0;
 
        while (buflen > offset) {
+               if (offset + (int)sizeof(struct bsmmsg_grpinfo) > buflen) {
+                       if (PIM_DEBUG_BSM)
+                               zlog_debug(
+                                       "%s: buflen received %d is less than the internal data structure of the packet would suggest",
+                                       __PRETTY_FUNCTION__, buflen);
+                       return false;
+               }
                /* Extract Group tlv from BSM */
                memcpy(&grpinfo, buf, sizeof(struct bsmmsg_grpinfo));
 
@@ -1137,6 +1149,12 @@ static bool pim_bsm_parse_install_g2rp(struct bsm_scope *scope, uint8_t *buf,
                }
 
                group.family = AF_INET;
+               if (grpinfo.group.mask > IPV4_MAX_BITLEN) {
+                       if (PIM_DEBUG_BSM)
+                               zlog_debug("%s, v4 prefix length specified: %d is too long",
+                                          __PRETTY_FUNCTION__, grpinfo.group.mask);
+                       return false;
+               }
                group.prefixlen = grpinfo.group.mask;
                group.u.prefix4.s_addr = grpinfo.group.addr.s_addr;
 
@@ -1169,6 +1187,15 @@ static bool pim_bsm_parse_install_g2rp(struct bsm_scope *scope, uint8_t *buf,
                ins_count = 0;
 
                while (frag_rp_cnt--) {
+                       if (offset + (int)sizeof(struct bsmmsg_rpinfo)
+                           > buflen) {
+                               if (PIM_DEBUG_BSM)
+                                       zlog_debug(
+                                               "%s, buflen received: %u is less than the internal data structure of the packet would suggest",
+                                               __PRETTY_FUNCTION__, buflen);
+                               return false;
+                       }
+
                        /* Extract RP address tlv from BSM */
                        memcpy(&rpinfo, buf, sizeof(struct bsmmsg_rpinfo));
                        rpinfo.rp_holdtime = ntohs(rpinfo.rp_holdtime);
@@ -1240,6 +1267,13 @@ int pim_bsm_process(struct interface *ifp, struct ip *ip_hdr, uint8_t *buf,
                return -1;
        }
 
+       if (buf_size < (PIM_MSG_HEADER_LEN + sizeof(struct bsm_hdr))) {
+               if (PIM_DEBUG_BSM)
+                       zlog_debug("%s: received buffer length of %d which is too small to properly decode",
+                                  __PRETTY_FUNCTION__, buf_size);
+               return -1;
+       }
+
        bshdr = (struct bsm_hdr *)(buf + PIM_MSG_HEADER_LEN);
        pim_inet4_dump("<bsr?>", bshdr->bsr_addr.addr, bsr_str,
                       sizeof(bsr_str));