]> git.ipfire.org Git - thirdparty/bird.git/commitdiff
projects / thirdparty / bird.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 71e08ed)
OSPF: Fix bad header length test
authorOndrej Zajicek (work) <santiago@crfreenet.org>
Wed, 10 Jun 2020 11:27:14 +0000 (13:27 +0200)
committerOndrej Zajicek (work) <santiago@crfreenet.org>
Wed, 10 Jun 2020 11:27:14 +0000 (13:27 +0200)
Thanks to Slava Aseev for the thorough bugreport.

proto/ospf/packet.c patch | blob | blame | history

diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index 599f3094eb6096dd0fa452b263c8435daefa9f01..cbc8f2ec8e3c2c3afc61574887569765d74e4b25 100644 (file)
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -441,7 +441,8 @@ ospf_rx_hook(sock *sk, uint len)
     DROP("version mismatch", pkt->version);
 
   uint plen = ntohs(pkt->length);
-  if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0))
+  uint hlen = sizeof(struct ospf_packet) + (ospf_is_v2(p) ? sizeof(union ospf_auth2) : 0);
+  if ((plen < hlen) || ((plen % 4) != 0))
     DROP("invalid length", plen);
 
   if (sk->flags & SKF_TRUNCATED)
@@ -462,9 +463,8 @@ ospf_rx_hook(sock *sk, uint len)
 
   if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
   {
-    uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
-    uint blen = plen - hlen;
     void *body = ((void *) pkt) + hlen;
+    uint blen = plen - hlen;
 
     if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
       DROP("invalid checksum", ntohs(pkt->checksum));
Mirror of https://gitlab.labs.nic.cz/labs/bird.git