Browse Source

nhrpd: offset value not checked for min size

If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Quentin Young 1 year ago
parent
commit
f38865dfaf
1 changed files with 2 additions and 2 deletions
  1. 2 2
      nhrpd/nhrp_peer.c

+ 2 - 2
nhrpd/nhrp_peer.c

@@ -810,8 +810,8 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
 
 	extoff = htons(hdr->extension_offset);
 	if (extoff) {
-		if (extoff >= realsize) {
-			info = "extoff larger than packet";
+		if ((extoff >= realsize) || (extoff < (zb->head - zb->buf))) {
+			info = "extoff larger than packet, or smaller than header";
 			goto drop;
 		}
 		paylen = extoff - (zb->head - zb->buf);