babeld: Check that bodylen is within some bounds of usable

Coverity believed that the bodylen value was read directly
from the incoming packet and then used as a loop variable.
Unfortunately it missed the fact that in babel_packet_examin
the bodylen was actually checked to ensure that it was long
enough.  So instead of checking it 2 times, generate it one
time and let coverity figure it out from that.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/babeld/message.c b/babeld/message.c
index 559b8c4e4ac829946d91fd876a7781019a8b2f29..0ddfda8d7b551de599f97e1bfd3daee161b7d706 100644 (file)
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -286,7 +286,7 @@ channels_len(unsigned char *channels)
    followed by a sequence of TLVs. TLVs of known types are also checked to meet
    minimum length constraints defined for each. Return 0 for no errors. */
 static int
-babel_packet_examin(const unsigned char *packet, int packetlen)
+babel_packet_examin(const unsigned char *packet, int packetlen, int *blength)
 {
     int i = 0, bodylen;
     const unsigned char *message;
@@ -323,6 +323,8 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
         }
         i += len + 2;
     }
+
+    *blength = bodylen;
     return 0;
 }
 
@@ -356,7 +358,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
         return;
     }
 
-    if (babel_packet_examin (packet, packetlen)) {
+    if (babel_packet_examin (packet, packetlen, &bodylen)) {
         flog_err(EC_BABEL_PACKET,
                  "Received malformed packet on %s from %s.",
                   ifp->name, format_address(from));
@@ -369,8 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
         return;
     }
 
-    DO_NTOHS(bodylen, packet + 2);
-
     i = 0;
     while(i < bodylen) {
         message = packet + 4 + i;