From 283cc511781f9e076baf8564dae234de52cb290a Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 15 Jan 2025 11:16:10 -0500 Subject: [PATCH] ospfd: Fix Coverity SA #1617470, 76 and 78 msg_new takes a uint16_t, the length passed down variable is a unsigned int, thus 32 bit. It's possible, but highly unlikely, that the msglen could be greater than 16 bit. Let's just add some checks to ensure that this could not happen. Signed-off-by: Donald Sharp --- ospfd/ospf_api.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c index 213ee8c1fd..cfc13fcc53 100644 --- a/ospfd/ospf_api.c +++ b/ospfd/ospf_api.c @@ -514,6 +514,12 @@ struct msg *new_msg_originate_request(uint32_t seqnum, struct in_addr ifaddr, omsglen += sizeof(struct msg_originate_request) - sizeof(struct lsa_header); + if (omsglen > UINT16_MAX) { + zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong", + __func__); + omsglen = UINT16_MAX; + } + return msg_new(MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen); } @@ -639,6 +645,12 @@ struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum, memcpy(nmsg_data, data, len); len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header); + if (len > UINT16_MAX) { + zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong", + __func__); + len = UINT16_MAX; + } + return msg_new(msgtype, nmsg, seqnum, len); } @@ -666,6 +678,12 @@ struct msg *new_msg_reachable_change(uint32_t seqnum, uint16_t nadd, nmsg->nremove = htons(nremove); len = sizeof(*nmsg) + insz * (nadd + nremove); + if (len > UINT16_MAX) { + zlog_warn("%s: LSA specified is bigger than maximum LSA size, something is wrong", + __func__); + len = UINT16_MAX; + } + return msg_new(MSG_REACHABLE_CHANGE, nmsg, seqnum, len); }