Commit f38865df for quagga.net

commit f38865dfaf81db600ed87eebf590929bbe29a140
Author: Quentin Young <qlyoung@cumulusnetworks.com>
Date:   Thu Dec 26 06:58:02 2019 -0500

    nhrpd: offset value not checked for min size

    If the extension offset points to a location within the packet header,
    we end up with an integer underflow leading to heap buffer read
    overflow.

    Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 5095d55a..5622b495 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -810,8 +810,8 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)

 	extoff = htons(hdr->extension_offset);
 	if (extoff) {
-		if (extoff >= realsize) {
-			info = "extoff larger than packet";
+		if ((extoff >= realsize) || (extoff < (zb->head - zb->buf))) {
+			info = "extoff larger than packet, or smaller than header";
 			goto drop;
 		}
 		paylen = extoff - (zb->head - zb->buf);