From c31aa80e8e1e783446a45395fc8e0773027c5d78 Mon Sep 17 00:00:00 2001 From: renato Date: Sat, 16 Jul 2016 19:24:30 +0000 Subject: [PATCH] Remove potential overflow when validating message's length. Also, use uint16_t for msg_type on gen_msg_hdr(). --- usr.sbin/ldpd/address.c | 4 ++-- usr.sbin/ldpd/ldpe.h | 4 ++-- usr.sbin/ldpd/packet.c | 9 +++++---- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ldpd/address.c b/usr.sbin/ldpd/address.c index ba546be5506..d09640af4ac 100644 --- a/usr.sbin/ldpd/address.c +++ b/usr.sbin/ldpd/address.c @@ -1,4 +1,4 @@ -/* $OpenBSD: address.c,v 1.28 2016/07/01 23:36:38 renato Exp $ */ +/* $OpenBSD: address.c,v 1.29 2016/07/16 19:24:30 renato Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -32,7 +32,7 @@ void send_address(struct nbr *nbr, int af, struct if_addr *if_addr, int withdraw) { struct ibuf *buf; - uint32_t msg_type; + uint16_t msg_type; uint16_t size; int iface_count = 0; int err = 0; diff --git a/usr.sbin/ldpd/ldpe.h b/usr.sbin/ldpd/ldpe.h index 84f4c2a74ef..f8c6f223700 100644 --- a/usr.sbin/ldpd/ldpe.h +++ b/usr.sbin/ldpd/ldpe.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ldpe.h,v 1.66 2016/07/01 23:33:46 renato Exp $ */ +/* $OpenBSD: ldpe.h,v 1.67 2016/07/16 19:24:30 renato Exp $ */ /* * Copyright (c) 2013, 2016 Renato Westphal @@ -251,7 +251,7 @@ void nbr_clear_ctl(struct ctl_nbr *); /* packet.c */ int gen_ldp_hdr(struct ibuf *, uint16_t); -int gen_msg_hdr(struct ibuf *, uint32_t, uint16_t); +int gen_msg_hdr(struct ibuf *, uint16_t, uint16_t); int send_packet(int, int, union ldpd_addr *, struct iface_af *, void *, size_t); void disc_recv_packet(int, short, void *); diff --git a/usr.sbin/ldpd/packet.c b/usr.sbin/ldpd/packet.c index adbe29273cf..cbe01b724e8 100644 --- a/usr.sbin/ldpd/packet.c +++ b/usr.sbin/ldpd/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.67 2016/07/01 23:36:38 renato Exp $ */ +/* $OpenBSD: packet.c,v 1.68 2016/07/16 19:24:30 renato Exp $ */ /* * Copyright (c) 2013, 2016 Renato Westphal @@ -57,7 +57,7 @@ gen_ldp_hdr(struct ibuf *buf, uint16_t size) } int -gen_msg_hdr(struct ibuf *buf, uint32_t type, uint16_t size) +gen_msg_hdr(struct ibuf *buf, uint16_t type, uint16_t size) { static int msgcnt = 0; struct ldp_msg msg; @@ -488,13 +488,14 @@ session_read(int fd, short event, void *arg) msg = (struct ldp_msg *)pdu; type = ntohs(msg->type); msg_len = ntohs(msg->length); - msg_size = msg_len + LDP_MSG_DEAD_LEN; - if (msg_len < LDP_MSG_LEN || msg_size > pdu_len) { + if (msg_len < LDP_MSG_LEN || + (msg_len + LDP_MSG_DEAD_LEN) > pdu_len) { session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, msg->type); free(buf); return; } + msg_size = msg_len + LDP_MSG_DEAD_LEN; pdu_len -= msg_size; /* check for error conditions earlier */ -- 2.20.1