return 0;
}
- /* Advance from IP header to OSPF header (iph->ip_hl has been verified
- by ospf_recv_packet() to be correct). */
- stream_forward_getp(ibuf, iph->ip_hl * 4);
+ /* Check that we have enough for an IP header */
+ if ((unsigned int)(iph->ip_hl << 2) >= STREAM_READABLE(ibuf)) {
+ if ((unsigned int)(iph->ip_hl << 2) == STREAM_READABLE(ibuf)) {
+ flog_warn(
+ EC_OSPF_PACKET,
+ "Rx'd IP packet with OSPF protocol number but no payload");
+ } else {
+ flog_warn(
+ EC_OSPF_PACKET,
+ "IP header length field claims header is %u bytes, but we only have %zu",
+ (unsigned int)(iph->ip_hl << 2),
+ STREAM_READABLE(ibuf));
+ }
+
+ return -1;
+ }
+ stream_forward_getp(ibuf, iph->ip_hl << 2);
ospfh = (struct ospf_header *)stream_pnt(ibuf);
if (MSG_OK