summaryrefslogtreecommitdiff
path: root/ospfd
diff options
context:
space:
mode:
Diffstat (limited to 'ospfd')
-rw-r--r--ospfd/ospf_api.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c
index 74a49e3b..fae942ec 100644
--- a/ospfd/ospf_api.c
+++ b/ospfd/ospf_api.c
@@ -472,6 +472,9 @@ new_msg_register_event (u_int32_t seqnum, struct lsa_filter_type *filter)
emsg->filter.typemask = htons (filter->typemask);
emsg->filter.origin = filter->origin;
emsg->filter.num_areas = filter->num_areas;
+ if (len > sizeof (buf))
+ len = sizeof(buf);
+ /* API broken - missing memcpy to fill data */
return msg_new (MSG_REGISTER_EVENT, emsg, seqnum, len);
}
@@ -488,6 +491,9 @@ new_msg_sync_lsdb (u_int32_t seqnum, struct lsa_filter_type *filter)
smsg->filter.typemask = htons (filter->typemask);
smsg->filter.origin = filter->origin;
smsg->filter.num_areas = filter->num_areas;
+ if (len > sizeof (buf))
+ len = sizeof(buf);
+ /* API broken - missing memcpy to fill data */
return msg_new (MSG_SYNC_LSDB, smsg, seqnum, len);
}
@@ -501,13 +507,15 @@ new_msg_originate_request (u_int32_t seqnum,
int omsglen;
char buf[OSPF_API_MAX_MSG_SIZE];
- omsglen = sizeof (struct msg_originate_request) - sizeof (struct lsa_header)
- + ntohs (data->length);
-
omsg = (struct msg_originate_request *) buf;
omsg->ifaddr = ifaddr;
omsg->area_id = area_id;
- memcpy (&omsg->data, data, ntohs (data->length));
+
+ omsglen = ntohs (data->length);
+ if (omsglen > sizeof (buf) - offsetof (struct msg_originate_request, data))
+ omsglen = sizeof (buf) - offsetof (struct msg_originate_request, data);
+ memcpy (&omsg->data, data, omsglen);
+ omsglen += sizeof (struct msg_originate_request) - sizeof (struct lsa_header);
return msg_new (MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen);
}
@@ -627,13 +635,16 @@ new_msg_lsa_change_notify (u_char msgtype,
assert (data);
nmsg = (struct msg_lsa_change_notify *) buf;
- len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify)
- - sizeof (struct lsa_header);
nmsg->ifaddr = ifaddr;
nmsg->area_id = area_id;
nmsg->is_self_originated = is_self_originated;
memset (&nmsg->pad, 0, sizeof (nmsg->pad));
- memcpy (&nmsg->data, data, ntohs (data->length));
+
+ len = ntohs (data->length);
+ if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data))
+ len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data);
+ memcpy (&nmsg->data, data, len);
+ len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header);
return msg_new (msgtype, nmsg, seqnum, len);
}
generated by cgit v1.2.1 (git 2.18.0) at 2025-11-04 04:24:15 +0000