diff options
| author |   claudio <claudio@openbsd.org> | 2015-02-11 05:57:44 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2015-02-11 05:57:44 +0000 |
| commit | 242fc2ef7f58aa5e86150b4fcabfdf9e52bbea3d (patch) | |
| tree | f55a554e7c76b333df8869434ae0f822754f3a5c | |
| parent | Use sizeof(u_short) in the first check since there are RT messages that (diff) | |
| download | wireguard-openbsd-242fc2ef7f58aa5e86150b4fcabfdf9e52bbea3d.tar.xz wireguard-openbsd-242fc2ef7f58aa5e86150b4fcabfdf9e52bbea3d.zip | |
Use sizeof(u_short) in the first check since there are RT messages that
are less then sizeof(*rtm) bytes long (e.g. interface announcements).
Found the hard way by phessler@
| -rw-r--r-- | usr.sbin/ospfd/kroute.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c index df0ba63242c..68edb1953ca 100644 --- a/usr.sbin/ospfd/kroute.c +++ b/usr.sbin/ospfd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.97 2015/02/10 08:26:47 claudio Exp $ */ +/* $OpenBSD: kroute.c,v 1.98 2015/02/11 05:57:44 claudio Exp $ */ /* * Copyright (c) 2004 Esben Norby <norby@openbsd.org> @@ -1343,7 +1343,7 @@ rtmsg_process(char *buf, size_t len) for (offset = 0; offset < len; offset += rtm->rtm_msglen) { next = buf + offset; rtm = (struct rt_msghdr *)next; - if (len < offset + sizeof(*rtm) || + if (len < offset + sizeof(u_short) || len < offset + rtm->rtm_msglen) fatalx("rtmsg_process: partial rtm in buffer"); if (rtm->rtm_version != RTM_VERSION) |