diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2013-05-30 15:49:34 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2013-05-30 15:49:34 +0000 |
| commit | 16568d2793d99f0c23ae3ef4b7739bbd46cc33f1 (patch) | |
| tree | 0c8c020d965e1e4c54fe62b7a75070318f93ac39 | |
| parent | 9aada48d349db91dd298457115ed8f30b201ad4b (diff) | |
Improve sanity checks on received UDP messages
The actual meaning of the "PDU Length" field is the total length
of the LDP PDU, excluding the "Version" and "PDU Length" fields (as
per RFC 5036, section 3.1).
Diff from Renato Westphal [renatowestphal at gmail.com]
| -rw-r--r-- | usr.sbin/ldpd/packet.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/usr.sbin/ldpd/packet.c b/usr.sbin/ldpd/packet.c index 1d3ca1ff953..aa63fbf690b 100644 --- a/usr.sbin/ldpd/packet.c +++ b/usr.sbin/ldpd/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.17 2013/03/11 17:40:11 deraadt Exp $ */ +/* $OpenBSD: packet.c,v 1.18 2013/05/30 15:49:33 claudio Exp $ */ /* * Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> @@ -122,7 +122,6 @@ disc_recv_packet(int fd, short event, void *bula) struct cmsghdr *cmsg; ssize_t r; u_int16_t len; - int l; unsigned int ifindex = 0; if (event != EV_READ) @@ -176,11 +175,12 @@ disc_recv_packet(int fd, short event, void *bula) return; } - if ((l = ldp_hdr_sanity_check(&ldp_hdr, len, iface)) == -1) + if (ldp_hdr_sanity_check(&ldp_hdr, len, iface) == -1) return; - if (l > len) { - log_debug("disc_recv_packet: invalid LDP packet length %d", + if (ntohs(ldp_hdr.length) > + len - sizeof(ldp_hdr.version) - sizeof(ldp_hdr.length)) { + log_debug("disc_recv_packet: invalid LDP packet length %u", ntohs(ldp_hdr.length)); return; } @@ -219,7 +219,7 @@ ldp_hdr_sanity_check(struct ldp_hdr *ldp_hdr, u_int16_t len, return (-1); } - return (ntohs(ldp_hdr->length)); + return (0); } struct iface * @@ -304,7 +304,7 @@ session_read(int fd, short event, void *arg) struct ldp_msg *ldp_msg; char *buf, *pdu; ssize_t n, len; - int l, msg_size; + int msg_size; u_int16_t pdu_len; if (event != EV_READ) { @@ -344,7 +344,7 @@ session_read(int fd, short event, void *arg) return; } - if ((l = ldp_hdr_sanity_check(ldp_hdr, len, iface)) == -1) { + if (ldp_hdr_sanity_check(ldp_hdr, len, iface) == -1) { session_shutdown(nbr, S_BAD_LDP_ID, 0, 0); free(buf); return; |