Index: ospf/lsa.cc =================================================================== RCS file: /cvs/xorp/ospf/lsa.cc,v retrieving revision 1.67 diff -u -p -r1.67 lsa.cc --- ospf/lsa.cc 3 Mar 2006 21:31:40 -0000 1.67 +++ ospf/lsa.cc 16 Oct 2006 23:23:37 -0000 @@ -123,13 +123,15 @@ put_ipv6_net(IPNet& v6net, uint8_t } /** - * Get the length of this LSA and make sure that its less than the - * provided buffer. Otherwise throw an exception. Don't modify the - * value if its greater than the buffer. + * Get the length of this LSA and verify that the length is smaller + * than the buffer and large enough to be a valid LSA. Otherwise throw + * an exception. Don't modify the value if its greater than the + * buffer. */ inline size_t -get_lsa_len_from_header(const char *caller, uint8_t *buf, size_t len) +get_lsa_len_from_header(const char *caller, uint8_t *buf, size_t len, + size_t min_len) throw(BadPacket) { size_t tlen = Lsa_header::get_lsa_len_from_buffer(buf); @@ -139,6 +141,13 @@ get_lsa_len_from_header(const char *call caller, XORP_UINT_CAST(tlen), XORP_UINT_CAST(len))); + } else if(tlen < min_len) { + xorp_throw(BadPacket, + c_format("%s header len %u smaller than minimum LSA " + "of this type %u", + caller, + XORP_UINT_CAST(tlen), + XORP_UINT_CAST(min_len))); } else { len = tlen; } @@ -681,7 +690,7 @@ RouterLsa::decode(uint8_t *buf, size_t& XORP_UINT_CAST(required))); // This guy throws an exception of there is a problem. - len = get_lsa_len_from_header("Router-LSA", buf, len); + len = get_lsa_len_from_header("Router-LSA", buf, len, required); // Verify the checksum. if (!verify_checksum(buf + 2, len - 2, 16 - 2)) @@ -877,7 +886,7 @@ NetworkLsa::decode(uint8_t *buf, size_t& XORP_UINT_CAST(required))); // This guy throws an exception of there is a problem. - len = get_lsa_len_from_header("Network-LSA", buf, len); + len = get_lsa_len_from_header("Network-LSA", buf, len, required); // Verify the checksum. if (!verify_checksum(buf + 2, len - 2, 16 - 2)) @@ -1034,7 +1043,7 @@ SummaryNetworkLsa::decode(uint8_t *buf, XORP_UINT_CAST(required))); // This guy throws an exception of there is a problem. - len = get_lsa_len_from_header("Summary-LSA", buf, len); + len = get_lsa_len_from_header("Summary-LSA", buf, len, required); // Verify the checksum. if (!verify_checksum(buf + 2, len - 2, 16 - 2)) @@ -1175,7 +1184,7 @@ SummaryRouterLsa::decode(uint8_t *buf, s XORP_UINT_CAST(required))); // This guy throws an exception of there is a problem. - len = get_lsa_len_from_header("Summary-LSA", buf, len); + len = get_lsa_len_from_header("Summary-LSA", buf, len, required); // Verify the checksum. if (!verify_checksum(buf + 2, len - 2, 16 - 2)) @@ -1310,7 +1319,7 @@ ASExternalLsa::decode(uint8_t *buf, size XORP_UINT_CAST(required))); // This guy throws an exception of there is a problem. - len = get_lsa_len_from_header("AS-External-LSA", buf, len); + len = get_lsa_len_from_header("AS-External-LSA", buf, len, required); // Verify the checksum. if (!verify_checksum(buf + 2, len - 2, 16 - 2))