pimd: fix MSDP packet debug crashes

Add some safe guards to avoid crashes and alert us about programming
errors in packet build.

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>

diff --git a/pimd/pim_msdp_packet.c b/pimd/pim_msdp_packet.c
index 9f0cba03c2cd389a1a18f7af142e7356d8f23d2b..5230f6a332001a59ef3d11eed3c79937742e2ffc 100644 (file)
--- a/pimd/pim_msdp_packet.c
+++ b/pimd/pim_msdp_packet.c
@@ -83,10 +83,18 @@ static void pim_msdp_pkt_sa_dump_one(struct stream *s)
 
 static void pim_msdp_pkt_sa_dump(struct stream *s)
 {
+       const size_t header_length = PIM_MSDP_SA_X_SIZE - PIM_MSDP_HEADER_SIZE;
+       size_t payload_length;
        int entry_cnt;
        int i;
        struct in_addr rp; /* Last RP address associated with this SA */
 
+       if (header_length > STREAM_READABLE(s)) {
+               zlog_err("BUG MSDP SA bad header (readable %zu expected %zu)",
+                        STREAM_READABLE(s), header_length);
+               return;
+       }
+
        entry_cnt = stream_getc(s);
        rp.s_addr = stream_get_ipv4(s);
 
@@ -96,6 +104,13 @@ static void pim_msdp_pkt_sa_dump(struct stream *s)
                zlog_debug("  entry_cnt %d rp %s", entry_cnt, rp_str);
        }
 
+       payload_length = (size_t)entry_cnt * PIM_MSDP_SA_ONE_ENTRY_SIZE;
+       if (payload_length > STREAM_READABLE(s)) {
+               zlog_err("BUG MSDP SA bad length (readable %zu expected %zu)",
+                        STREAM_READABLE(s), payload_length);
+               return;
+       }
+
        /* dump SAs */
        for (i = 0; i < entry_cnt; ++i) {
                pim_msdp_pkt_sa_dump_one(s);
@@ -116,6 +131,11 @@ static void pim_msdp_pkt_dump(struct pim_msdp_peer *mp, int type, int len,
                return;
        }
 
+       if (len < PIM_MSDP_HEADER_SIZE) {
+               zlog_err("invalid MSDP header length");
+               return;
+       }
+
        switch (type) {
        case PIM_MSDP_V4_SOURCE_ACTIVE:
                pim_msdp_pkt_sa_dump(s);