[PATCH 1/7] Babel: Make sure intervals don't overflow.

Mon, 02 May 2016 10:16:09 -0700 

Intervals are carried as 16-bit centisecond values, but kept internally
in 16-bit second values, which causes a potential for overflow. This
adds some checks to make sure this doesn't happen.

Signed-off-by: Toke Høiland-Jørgensen <[email protected]>
---
 proto/babel/babel.h  | 2 ++
 proto/babel/config.Y | 9 +++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/proto/babel/babel.h b/proto/babel/babel.h
index aea0dd8..67d32ad 100644
--- a/proto/babel/babel.h
+++ b/proto/babel/babel.h
@@ -50,6 +50,8 @@
 #define BABEL_INITIAL_HOP_COUNT                255
 #define BABEL_MAX_SEND_INTERVAL                5
 #define BABEL_TIME_UNITS               100     /* On-wire times are counted in 
centiseconds */
+#define BABEL_MAX_INTERVAL             0xFFFF/BABEL_TIME_UNITS /* max interval 
that won't overflow
+                                                                * when carried 
as 16-bit centiseconds */
 
 #define BABEL_SEQNO_REQUEST_EXPIRY     60
 #define BABEL_GARBAGE_INTERVAL         300
diff --git a/proto/babel/config.Y b/proto/babel/config.Y
index e7ce6a9..fea269d 100644
--- a/proto/babel/config.Y
+++ b/proto/babel/config.Y
@@ -77,17 +77,18 @@ babel_iface_finish:
       BABEL_IFACE->rxcost = BABEL_RXCOST_WIRED;
   }
 
+  /* make sure we don't overflow the 16-bit centisec fields */
   if (!BABEL_IFACE->update_interval)
-    BABEL_IFACE->update_interval = 
BABEL_IFACE->hello_interval*BABEL_UPDATE_INTERVAL_FACTOR;
-  BABEL_IFACE->ihu_interval = 
BABEL_IFACE->hello_interval*BABEL_IHU_INTERVAL_FACTOR;
+    BABEL_IFACE->update_interval = 
MIN_(BABEL_IFACE->hello_interval*BABEL_UPDATE_INTERVAL_FACTOR, 
BABEL_MAX_INTERVAL);
+  BABEL_IFACE->ihu_interval = 
MIN_(BABEL_IFACE->hello_interval*BABEL_IHU_INTERVAL_FACTOR, BABEL_MAX_INTERVAL);
 };
 
 
 babel_iface_item:
  | PORT expr { BABEL_IFACE->port = $2; if (($2<1) || ($2>65535)) 
cf_error("Invalid port number"); }
  | RXCOST expr { BABEL_IFACE->rxcost = $2; if (($2<1) || ($2>65535)) 
cf_error("Invalid rxcost"); }
- | HELLO INTERVAL expr { BABEL_IFACE->hello_interval = $3; if (($3<1) || 
($3>65535)) cf_error("Invalid hello interval"); }
- | UPDATE INTERVAL expr { BABEL_IFACE->update_interval = $3; if (($3<1) || 
($3>65535)) cf_error("Invalid hello interval"); }
+ | HELLO INTERVAL expr { BABEL_IFACE->hello_interval = $3; if (($3<1) || 
($3>BABEL_MAX_INTERVAL)) cf_error("Invalid hello interval"); }
+ | UPDATE INTERVAL expr { BABEL_IFACE->update_interval = $3; if (($3<1) || 
($3>BABEL_MAX_INTERVAL)) cf_error("Invalid hello interval"); }
  | TYPE WIRED { BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRED; }
  | TYPE WIRELESS { BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRELESS; }
  | RX BUFFER expr { BABEL_IFACE->rx_buffer = $3; if (($3<256) || ($3>65535)) 
cf_error("RX buffer must be in range 256-65535"); }
-- 
2.8.0

Reply via email to