[PATCH] babel: Check TLV framing before dereferencing tlv->type
Toke Høiland-Jørgensen
toke at toke.dk
Tue Jul 10 23:56:40 CEST 2018
Signed-off-by: Toke Høiland-Jørgensen <toke at toke.dk>
---
proto/babel/packets.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/proto/babel/packets.c b/proto/babel/packets.c
index d4ecf649..991c1520 100644
--- a/proto/babel/packets.c
+++ b/proto/babel/packets.c
@@ -1373,10 +1373,6 @@ babel_process_packet(struct babel_pkt_header *pkt, int len,
(byte *)tlv < end;
tlv = NEXT_TLV(tlv))
{
- /* Ugly special case */
- if (tlv->type == BABEL_TLV_PAD1)
- continue;
-
/* The end of the common TLV header */
pos = (byte *)tlv + sizeof(struct babel_tlv);
if ((pos > end) || (pos + tlv->length > end))
@@ -1386,6 +1382,10 @@ babel_process_packet(struct babel_pkt_header *pkt, int len,
break;
}
+ /* Ugly special case */
+ if (tlv->type == BABEL_TLV_PAD1)
+ continue;
+
msg = sl_alloc(p->msg_slab);
res = babel_read_tlv(tlv, &msg->msg, &state);
if (res == PARSE_SUCCESS)
--
2.18.0
More information about the Bird-users
mailing list