pimd: fix missing igmp mtrace length check

We check that the IGMP message is sufficently sized for an mtrace query,
but not a response, leading to uninitialized stack read.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/pimd/pim_igmp_mtrace.c b/pimd/pim_igmp_mtrace.c
index 0758e2f784eb6c7ddec8300fe0b7b1d39e1fd701..695d04c7c2ba4cdc0243446fdb21a0e47a57e4fa 100644 (file)
--- a/pimd/pim_igmp_mtrace.c
+++ b/pimd/pim_igmp_mtrace.c
@@ -864,6 +864,16 @@ int igmp_mtrace_recv_response(struct igmp_sock *igmp, struct ip *ip_hdr,
        pim_ifp = ifp->info;
        pim = pim_ifp->pim;
 
+       if (igmp_msg_len < (int)sizeof(struct igmp_mtrace)) {
+               if (PIM_DEBUG_MTRACE)
+                       zlog_warn(
+                               "Recv mtrace packet from %s on %s: too short,"
+                               " len=%d, min=%zu",
+                               from_str, ifp->name, igmp_msg_len,
+                               sizeof(struct igmp_mtrace));
+               return -1;
+       }
+
        mtracep = (struct igmp_mtrace *)igmp_msg;
 
        recv_checksum = mtracep->checksum;