Home Explore Help
Register Sign In
Jonathan-Ferguson
/
Quagga
mirror of https://git.launchpad.net/~jonathan-ferguson/debian/+source/quagga
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

nhrpd: offset value not checked for min size

If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Quentin Young 2 years ago
parent
1f918980c0
commit
f38865dfaf
1 changed files with 2 additions and 2 deletions
Split View Show Diff Stats
  1. 2 2
      nhrpd/nhrp_peer.c

+ 2 - 2
nhrpd/nhrp_peer.c
View File 

@@ -810,8 +810,8 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
 
 
 	extoff = htons(hdr->extension_offset);
 
 	if (extoff) {
 
-		if (extoff >= realsize) {
 
-			info = "extoff larger than packet";
 
+		if ((extoff >= realsize) || (extoff < (zb->head - zb->buf))) {
 
+			info = "extoff larger than packet, or smaller than header";
 
 			goto drop;
 
 		}
 
 		paylen = extoff - (zb->head - zb->buf);