From d9529c9fb11d7fabe6f6986761293358dc0baffe Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 22 Jun 2022 08:24:03 -0400 Subject: [PATCH] ospf6d: Ensure that ospf6d does not memcpy beyond end of data Ensure that received data size can fit into temp variable that is used to dump data. Signed-off-by: Donald Sharp --- ospf6d/ospf6_auth_trailer.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ospf6d/ospf6_auth_trailer.c b/ospf6d/ospf6_auth_trailer.c index 77ac4a1877..e54f6784e8 100644 --- a/ospf6d/ospf6_auth_trailer.c +++ b/ospf6d/ospf6_auth_trailer.c @@ -120,7 +120,13 @@ void ospf6_auth_hdr_dump_recv(struct ospf6_header *ospfh, uint16_t length, ospf6_at_hdr = (struct ospf6_auth_hdr *)((uint8_t *)ospfh + oh_len); at_hdr_len = ntohs(ospf6_at_hdr->length); - hash_len = at_hdr_len - OSPF6_AUTH_HDR_MIN_SIZE; + hash_len = at_hdr_len - (uint16_t)OSPF6_AUTH_HDR_MIN_SIZE; + if (hash_len > KEYCHAIN_MAX_HASH_SIZE) { + zlog_debug( + "Specified value for hash_len %u is greater than expected %u", + hash_len, KEYCHAIN_MAX_HASH_SIZE); + return; + } memcpy(temp, ospf6_at_hdr->data, hash_len); temp[hash_len] = '\0'; zlog_debug("OSPF6 Authentication Trailer");