summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2015-02-11 05:58:58 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2015-02-11 05:58:58 +0000
commit244df2ab7375680c3e35a304643ecd6f95f1860c (patch)
treef1058e266ed43cc9dc6b692af77e2a4496eef77f
parent694d8f61bd5b3eae7d0cd268698186472d43f7fa (diff)
Use sizeof(u_short) in the first check since there are RT messages that
are less then sizeof(*rtm) bytes long (e.g. interface announcements). Found the hard way by phessler@
-rw-r--r--usr.sbin/dvmrpd/kroute.c4
-rw-r--r--usr.sbin/ldpd/kroute.c4
-rw-r--r--usr.sbin/ospf6d/kroute.c4
-rw-r--r--usr.sbin/ospfd/kroute.c4
-rw-r--r--usr.sbin/ripd/kroute.c4
5 files changed, 10 insertions, 10 deletions
diff --git a/usr.sbin/dvmrpd/kroute.c b/usr.sbin/dvmrpd/kroute.c
index 07068d2723e..39faa9255e6 100644
--- a/usr.sbin/dvmrpd/kroute.c
+++ b/usr.sbin/dvmrpd/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.10 2015/02/10 08:49:30 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.11 2015/02/11 05:56:27 claudio Exp $ */
/*
* Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -389,7 +389,7 @@ kr_dispatch_msg(int fd, short event, void *bula)
lim = buf + n;
for (next = buf; next < lim; next += rtm->rtm_msglen) {
rtm = (struct rt_msghdr *)next;
- if (lim < next + sizeof(*rtm) ||
+ if (lim < next + sizeof(u_short) ||
lim < next + rtm->rtm_msglen)
fatalx("dispatch_rtmsg: partial rtm in buffer");
if (rtm->rtm_version != RTM_VERSION)
diff --git a/usr.sbin/ldpd/kroute.c b/usr.sbin/ldpd/kroute.c
index 7f9a47006e6..1bb1aeaaec8 100644
--- a/usr.sbin/ldpd/kroute.c
+++ b/usr.sbin/ldpd/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.36 2015/02/10 08:25:51 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.37 2015/02/11 05:56:51 claudio Exp $ */
/*
* Copyright (c) 2009 Michele Marchetto <michele@openbsd.org>
@@ -1207,7 +1207,7 @@ rtmsg_process(char *buf, size_t len)
for (offset = 0; offset < len; offset += rtm->rtm_msglen) {
next = buf + offset;
rtm = (struct rt_msghdr *)next;
- if (len < offset + sizeof(*rtm) ||
+ if (len < offset + sizeof(u_short) ||
len < offset + rtm->rtm_msglen)
fatalx("rtmsg_process: partial rtm in buffer");
if (rtm->rtm_version != RTM_VERSION)
diff --git a/usr.sbin/ospf6d/kroute.c b/usr.sbin/ospf6d/kroute.c
index 9cf6513036f..84c06edb206 100644
--- a/usr.sbin/ospf6d/kroute.c
+++ b/usr.sbin/ospf6d/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.46 2015/02/10 05:39:10 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.47 2015/02/11 05:58:57 claudio Exp $ */
/*
* Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -1271,7 +1271,7 @@ dispatch_rtmsg(void)
lim = buf + n;
for (next = buf; next < lim; next += rtm->rtm_msglen) {
rtm = (struct rt_msghdr *)next;
- if (lim < next + sizeof(*rtm) ||
+ if (lim < next + sizeof(u_short) ||
lim < next + rtm->rtm_msglen)
fatalx("dispatch_rtmsg: partial rtm in buffer");
if (rtm->rtm_version != RTM_VERSION)
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c
index df0ba63242c..68edb1953ca 100644
--- a/usr.sbin/ospfd/kroute.c
+++ b/usr.sbin/ospfd/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.97 2015/02/10 08:26:47 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.98 2015/02/11 05:57:44 claudio Exp $ */
/*
* Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -1343,7 +1343,7 @@ rtmsg_process(char *buf, size_t len)
for (offset = 0; offset < len; offset += rtm->rtm_msglen) {
next = buf + offset;
rtm = (struct rt_msghdr *)next;
- if (len < offset + sizeof(*rtm) ||
+ if (len < offset + sizeof(u_short) ||
len < offset + rtm->rtm_msglen)
fatalx("rtmsg_process: partial rtm in buffer");
if (rtm->rtm_version != RTM_VERSION)
diff --git a/usr.sbin/ripd/kroute.c b/usr.sbin/ripd/kroute.c
index ff66a291107..4c13ea087e6 100644
--- a/usr.sbin/ripd/kroute.c
+++ b/usr.sbin/ripd/kroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kroute.c,v 1.28 2015/02/10 08:23:13 claudio Exp $ */
+/* $OpenBSD: kroute.c,v 1.29 2015/02/11 05:58:08 claudio Exp $ */
/*
* Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -1039,7 +1039,7 @@ dispatch_rtmsg(void)
lim = buf + n;
for (next = buf; next < lim; next += rtm->rtm_msglen) {
rtm = (struct rt_msghdr *)next;
- if (lim < next + sizeof(*rtm) ||
+ if (lim < next + sizeof(u_short) ||
lim < next + rtm->rtm_msglen)
fatalx("dispatch_rtmsg: partial rtm in buffer");
if (rtm->rtm_version != RTM_VERSION)