babeld: Check that bodylen is within some bounds of usable

Coverity believed that the bodylen value was read directly from the incoming packet and then used as a loop variable. Unfortunately it missed the fact that in babel_packet_examin the bodylen was actually checked to ensure that it was long enough. So instead of checking it 2 times, generate it one time and let coverity figure it out from that. Signed-off-by: Donald Sharp <sharpd@nvidia.com>
2022-05-12 13:23:36 -04:00 · 2022-05-12 13:23:36 -04:00 · 8128153ba4
parent 601db492b8
commit 8128153ba4
1 changed files with 4 additions and 4 deletions
--- a/babeld/message.c
+++ b/babeld/message.c
@ -286,7 +286,7 @@ channels_len(unsigned char *channels)
   followed by a sequence of TLVs. TLVs of known types are also checked to meet
   minimum length constraints defined for each. Return 0 for no errors. */
 static int
-babel_packet_examin(const unsigned char *packet, int packetlen)
+babel_packet_examin(const unsigned char *packet, int packetlen, int *blength)
 {
    int i = 0, bodylen;
    const unsigned char *message;
@ -323,6 +323,8 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
        }
        i += len + 2;
    }
+
+    *blength = bodylen;
    return 0;
 }

@ -356,7 +358,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
        return;
    }

-    if (babel_packet_examin (packet, packetlen)) {
+    if (babel_packet_examin (packet, packetlen, &bodylen)) {
        flog_err(EC_BABEL_PACKET,
 		  "Received malformed packet on %s from %s.",
                  ifp->name, format_address(from));
@ -369,8 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
        return;
    }

-    DO_NTOHS(bodylen, packet + 2);
-
    i = 0;
    while(i < bodylen) {
        message = packet + 4 + i;