From 83a7713fa4f703b65ac86eeb462d10aba9d7b5a7 Mon Sep 17 00:00:00 2001 From: deraadt Date: Tue, 20 Jan 2015 18:09:12 +0000 Subject: [PATCH] Do not assume a read buffer coming from libevent is aligned. Copy the int to an aligned variable before operating on it. ok claudio --- usr.sbin/ldpd/labelmapping.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/ldpd/labelmapping.c b/usr.sbin/ldpd/labelmapping.c index 3ab1886e29e..54dfa94710f 100644 --- a/usr.sbin/ldpd/labelmapping.c +++ b/usr.sbin/ldpd/labelmapping.c @@ -1,4 +1,4 @@ -/* $OpenBSD: labelmapping.c,v 1.29 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: labelmapping.c,v 1.30 2015/01/20 18:09:12 deraadt Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -212,6 +212,7 @@ recv_labelmessage(struct nbr *nbr, char *buf, u_int16_t len, u_int16_t type) /* Optional Parameters */ while (len > 0) { struct tlv tlv; + u_int32_t reqbuf, labelbuf; if (len < sizeof(tlv)) { session_shutdown(nbr, S_BAD_TLV_LEN, lm.msgid, @@ -235,7 +236,8 @@ recv_labelmessage(struct nbr *nbr, char *buf, u_int16_t len, u_int16_t type) } flags |= F_MAP_REQ_ID; - reqid = ntohl(*(u_int32_t *)buf); + memcpy(&reqbuf, buf, sizeof(reqbuf)); + reqid = ntohl(reqbuf); break; default: /* ignore */ @@ -256,7 +258,8 @@ recv_labelmessage(struct nbr *nbr, char *buf, u_int16_t len, u_int16_t type) goto err; } - label = ntohl(*(u_int32_t *)buf); + memcpy(&labelbuf, buf, sizeof(labelbuf)); + label = ntohl(labelbuf); flags |= F_MAP_OPTLABEL; break; default: -- 2.20.1