From: Donald Sharp Date: Thu, 12 May 2022 17:23:36 +0000 (-0400) Subject: babeld: Check that bodylen is within some bounds of usable X-Git-Tag: frr-8.5.1~910^2~2 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=8128153ba40b3ee53dfa4a1f4c252635e6908596;p=mirror_frr.git babeld: Check that bodylen is within some bounds of usable Coverity believed that the bodylen value was read directly from the incoming packet and then used as a loop variable. Unfortunately it missed the fact that in babel_packet_examin the bodylen was actually checked to ensure that it was long enough. So instead of checking it 2 times, generate it one time and let coverity figure it out from that. Signed-off-by: Donald Sharp --- diff --git a/babeld/message.c b/babeld/message.c index 559b8c4e4..0ddfda8d7 100644 --- a/babeld/message.c +++ b/babeld/message.c @@ -286,7 +286,7 @@ channels_len(unsigned char *channels) followed by a sequence of TLVs. TLVs of known types are also checked to meet minimum length constraints defined for each. Return 0 for no errors. */ static int -babel_packet_examin(const unsigned char *packet, int packetlen) +babel_packet_examin(const unsigned char *packet, int packetlen, int *blength) { int i = 0, bodylen; const unsigned char *message; @@ -323,6 +323,8 @@ babel_packet_examin(const unsigned char *packet, int packetlen) } i += len + 2; } + + *blength = bodylen; return 0; } @@ -356,7 +358,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, return; } - if (babel_packet_examin (packet, packetlen)) { + if (babel_packet_examin (packet, packetlen, &bodylen)) { flog_err(EC_BABEL_PACKET, "Received malformed packet on %s from %s.", ifp->name, format_address(from)); @@ -369,8 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp, return; } - DO_NTOHS(bodylen, packet + 2); - i = 0; while(i < bodylen) { message = packet + 4 + i;