ospfd: fix misplaced trust in ip header length

We actually don't validate the IHL field, although it certainly looks
like we do at a casual glance.

This patch saves us from an assert in case we actually do get an IP
packet with an incorrect header length field.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 80ffc3f36102e40e7d83bd70d415cc47a6dd9b07..0d520f8b0a6746534399a764544ba079b1ec8af3 100644 (file)
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -3001,11 +3001,23 @@ static enum ospf_read_return_enum ospf_read_helper(struct ospf *ospf)
                return OSPF_READ_CONTINUE;
        }
 
-       /*
-        * Advance from IP header to OSPF header (iph->ip_hl has
-        * been verified by ospf_recv_packet() to be correct).
-        */
-       stream_forward_getp(ibuf, iph->ip_hl * 4);
+       /* Check that we have enough for an IP header */
+       if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) {
+               if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "Rx'd IP packet with OSPF protocol number but no payload");
+               } else {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "IP header length field claims header is %u bytes, but we only have %zu",
+                               (unsigned int)(iph->ip_hl << 2),
+                               STREAM_READABLE(ibuf));
+               }
+
+               return OSPF_READ_ERROR;
+       }
+       stream_forward_getp(ibuf, iph->ip_hl << 2);
 
        ospfh = (struct ospf_header *)stream_pnt(ibuf);
        if (MSG_OK