From a6bc04d59130c49a1dbfadffa4285b11e2ff4939 Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Thu, 29 Oct 2009 23:57:42 +0100
Subject: Implements better checks on incoming packets and LSAs in OSPF.

---
 proto/ospf/dbdes.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'proto/ospf/dbdes.c')

diff --git a/proto/ospf/dbdes.c b/proto/ospf/dbdes.c
index c9d318c..2cb2dd8 100644
--- a/proto/ospf/dbdes.c
+++ b/proto/ospf/dbdes.c
@@ -53,7 +53,7 @@ static void ospf_dump_dbdes(struct proto *p, struct ospf_dbdes_packet *pkt)
   log(L_TRACE "%s:     ddseq    %u", p->name, ntohl(pkt->ddseq));
 
   struct ospf_lsa_header *plsa = (void *) (pkt + 1);
-  int i, j;
+  unsigned int i, j;
 
   j = (ntohs(op->length) - sizeof(struct ospf_dbdes_packet)) /
     sizeof(struct ospf_lsa_header);
@@ -247,11 +247,17 @@ void
 ospf_dbdes_receive(struct ospf_packet *ps_i, struct ospf_iface *ifa,
 		   struct ospf_neighbor *n)
 {
-  struct ospf_dbdes_packet *ps = (void *) ps_i;
   struct proto *p = &ifa->oa->po->proto;
   u32 myrid = p->cf->global->router_id;
-  unsigned int size = ntohs(ps->ospf_packet.length);
 
+  unsigned int size = ntohs(ps_i->length);
+  if (size < sizeof(struct ospf_dbdes_packet))
+  {
+    log(L_ERR "Bad OSPF DBDES packet from %I -  too short (%u B)", n->ip, size);
+    return;
+  }
+
+  struct ospf_dbdes_packet *ps = (void *) ps_i;
   u32 ps_ddseq = ntohl(ps->ddseq);
   u32 ps_options = ntoh_opt(ps->options);
   
-- 
cgit v1.2.3