Commit f38865df for quagga.net
commit f38865dfaf81db600ed87eebf590929bbe29a140
Author: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Thu Dec 26 06:58:02 2019 -0500
nhrpd: offset value not checked for min size
If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 5095d55a..5622b495 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -810,8 +810,8 @@ void nhrp_peer_recv(struct nhrp_peer *p, struct zbuf *zb)
extoff = htons(hdr->extension_offset);
if (extoff) {
- if (extoff >= realsize) {
- info = "extoff larger than packet";
+ if ((extoff >= realsize) || (extoff < (zb->head - zb->buf))) {
+ info = "extoff larger than packet, or smaller than header";
goto drop;
}
paylen = extoff - (zb->head - zb->buf);