From 813099f0fcd3781edfa00b6e6f2cc96732b494ae Mon Sep 17 00:00:00 2001 From: paco Date: Tue, 26 Jun 2018 17:09:07 +0200 Subject: [PATCH] pimd: untrusted argument (3) (Coverity 1465491) Additional fix over d94023d85c1682ae14def9d50f2474e8e6290e44 (PR #2546) Removed all pointer arithmetic used for the checks, while keeping same coverage. I hope this removes the Coverity warning (If this don't fix it, I'll make Coverity work with a fork and try there as many times as necessary) Signed-off-by: F. Aragon --- pimd/mtracebis.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/pimd/mtracebis.c b/pimd/mtracebis.c index a0e8fd127..c0d95aeed 100644 --- a/pimd/mtracebis.c +++ b/pimd/mtracebis.c @@ -266,6 +266,8 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer) int mtrace_len; int responses; unsigned short sum; + size_t mtrace_off; + size_t ip_len; recvd = recvfrom(fd, mtrace_buf, IP_AND_MTRACE_BUF_LEN, 0, NULL, 0); @@ -292,19 +294,19 @@ static int recv_response(int fd, int *hops, struct igmp_mtrace *mtracer) if (sum != in_cksum(ip, ip->ip_hl * 4)) return -1; - mtrace = (struct igmp_mtrace *)(mtrace_buf + (4 * ip->ip_hl)); - - mtrace_len = ntohs(ip->ip_len) - ip->ip_hl * 4; - - if ((char *)mtrace + mtrace_len - > (char *)mtrace_buf + IP_AND_MTRACE_BUF_LEN) + /* Header overflow check */ + mtrace_off = 4 * ip->ip_hl; + if (mtrace_off > MTRACE_BUF_LEN) return -1; - if (mtrace_len < (int)MTRACE_HDR_SIZE) + /* Underflow/overflow check */ + ip_len = ntohs(ip->ip_len); + if (ip_len < mtrace_off || ip_len < MTRACE_HDR_SIZE + || ip_len > MTRACE_BUF_LEN) return -1; - if (mtrace_len > (int)MTRACE_BUF_LEN) - return -1; + mtrace_len = ip_len - mtrace_off; + mtrace = (struct igmp_mtrace *)(mtrace_buf + mtrace_off); sum = mtrace->checksum; mtrace->checksum = 0; -- 2.39.5