ospfd: a possible fix for TAINTED_SCALAR coverity issues

Signed-off-by: Mahdi Varasteh <[email protected]>
FRRouting · Oct 3, 2023 · 27ec94f · 27ec94f
1 parent 7a80a23
commit 27ec94f
Showing 1 changed file with 22 additions and 11 deletions.
diff --git a/ospfd/ospf_auth.c b/ospfd/ospf_auth.c
@@ -89,7 +89,7 @@ static int ospf_auth_check_hmac_sha_digest(struct ospf_interface *oi,
 	uint16_t length = ntohs(ospfh->length);
 	uint16_t hash_length = keychain_get_hash_len(key->hash_algo);
 #ifdef CRYPTO_OPENSSL
-	unsigned int openssl_hash_length = hash_length;
+	uint32_t openssl_hash_length = hash_length;
 	HMAC_CTX *ctx;
 	const EVP_MD *md_alg = ospf_auth_get_openssl_evp_md_from_key(key);
 
@@ -159,6 +159,13 @@ static int ospf_auth_check_md5_digest(struct ospf_interface *oi,
 	struct crypt_key *ck = NULL;
 	uint16_t length = ntohs(ospfh->length);
 
+	if (length < sizeof(struct ospf_header)) {/* for coverity's sake */
+		flog_warn(EC_OSPF_AUTH,
+			  "interface %s: Invalid packet length, Router-ID: %pI4",
+			  IF_NAME(oi), &ospfh->router_id);
+		return 0;
+	}
+
 	if (key == NULL) {
 		ck = ospf_crypt_key_lookup(OSPF_IF_PARAM(oi, auth_crypt),
 				   ospfh->u.crypt.key_id);
@@ -189,7 +196,7 @@ static int ospf_auth_check_md5_digest(struct ospf_interface *oi,
 		strlcpy(auth_key, (char *)ck->auth_key, OSPF_AUTH_MD5_SIZE + 1);
 	/* Generate a digest for the ospf packet - their digest + our digest. */
 #ifdef CRYPTO_OPENSSL
-	unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+	uint32_t md5_size = OSPF_AUTH_MD5_SIZE;
 
 	ctx = EVP_MD_CTX_new();
 	EVP_DigestInit(ctx, EVP_md5());
@@ -222,25 +229,29 @@ static int ospf_auth_check_md5_digest(struct ospf_interface *oi,
 static int ospf_auth_make_md5_digest(struct ospf_interface *oi,
 				     struct ospf_packet *op, struct key *key)
 {
-	void *ibuf;
-	struct ospf_header *ospfh;
+	void *ibuf = STREAM_DATA(op->s);
+	struct ospf_header *ospfh = (struct ospf_header *)ibuf;
 	unsigned char digest[OSPF_AUTH_MD5_SIZE];
-	uint16_t length;
+	uint16_t length = ntohs(ospfh->length);
 #ifdef CRYPTO_OPENSSL
 	EVP_MD_CTX *ctx;
 #elif CRYPTO_INTERNAL
 	MD5_CTX ctx;
 #endif
 	char auth_key[OSPF_AUTH_MD5_SIZE + 1];
 
+	if ((length < (sizeof(struct ospf_header))) || (length > op->length)) { /* for coverity's sake */
+		flog_warn(EC_OSPF_AUTH,
+			  "interface %s: Invalid packet length, Router-ID: %pI4",
+			  IF_NAME(oi), &ospfh->router_id);
+		return 0;
+	}
+
 	memset(auth_key, 0, OSPF_AUTH_MD5_SIZE + 1);
 	strlcpy(auth_key, key->string, OSPF_AUTH_MD5_SIZE + 1);
-	ibuf = STREAM_DATA(op->s);
-	ospfh = (struct ospf_header *)ibuf;
-	length = ntohs(ospfh->length);
 	/* Generate a digest for the ospf packet - their digest + our digest. */
 #ifdef CRYPTO_OPENSSL
-	unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+	uint32_t md5_size = OSPF_AUTH_MD5_SIZE;
 
 	ctx = EVP_MD_CTX_new();
 	EVP_DigestInit(ctx, EVP_md5());
@@ -282,7 +293,7 @@ static int ospf_auth_make_hmac_sha_digest(struct ospf_interface *oi,
 	ibuf = STREAM_DATA(op->s);
 	ospfh = (struct ospf_header *)ibuf;
 #ifdef CRYPTO_OPENSSL
-	unsigned int openssl_hash_length = hash_length;
+	uint32_t openssl_hash_length = hash_length;
 	HMAC_CTX *ctx;
 	const EVP_MD *md_alg = ospf_auth_get_openssl_evp_md_from_key(key);
 
@@ -491,7 +502,7 @@ int ospf_auth_make(struct ospf_interface *oi, struct ospf_packet *op)
 	if (auth_key) {
 		/* Generate a digest for the entire packet + our secret key. */
 #ifdef CRYPTO_OPENSSL
-		unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+		uint32_t md5_size = OSPF_AUTH_MD5_SIZE;
 
 		ctx = EVP_MD_CTX_new();
 		EVP_DigestInit(ctx, EVP_md5());