ospfd: fix misplaced trust in ip header length

We actually don't validate the IHL field, although it certainly looks
like we do at a casual glance.

This patch saves us from an assert in case we actually do get an IP
packet with an incorrect header length field.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 5a29c1fb07abb2c511875e581d74ffe015308a17..23ec7a14cde916febbaa6424d10a51f71eb81946 100644 (file)
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2994,9 +2994,23 @@ int ospf_read(struct thread *thread)
                return 0;
        }
 
-       /* Advance from IP header to OSPF header (iph->ip_hl has been verified
-          by ospf_recv_packet() to be correct). */
-       stream_forward_getp(ibuf, iph->ip_hl * 4);
+       /* Check that we have enough for an IP header */
+       if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) {
+               if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "Rx'd IP packet with OSPF protocol number but no payload");
+               } else {
+                       flog_warn(
+                               EC_OSPF_PACKET,
+                               "IP header length field claims header is %u bytes, but we only have %zu",
+                               (unsigned int)(iph->ip_hl << 2),
+                               STREAM_READABLE(ibuf));
+               }
+
+               return -1;
+       }
+       stream_forward_getp(ibuf, iph->ip_hl << 2);
 
        ospfh = (struct ospf_header *)stream_pnt(ibuf);
        if (MSG_OK