From 3d50adc170fed7e09f2c45eab8e104cba2ef14d6 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Wed, 18 Nov 2015 09:53:58 +0100
Subject: [PATCH] bsd/getroute.c: check message length. Avoid buffer overread

---
 miniupnpd/bsd/getroute.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/miniupnpd/bsd/getroute.c b/miniupnpd/bsd/getroute.c
index 22a7dde..f018216 100644
--- a/miniupnpd/bsd/getroute.c
+++ b/miniupnpd/bsd/getroute.c
@@ -85,11 +85,19 @@ get_src_for_route_to(const struct sockaddr * dst,
 		       l, rtm.rtm_seq, rtm.rtm_pid, (int)sizeof(struct rt_msghdr));
 	} while(l > 0 && (rtm.rtm_pid != getpid() || rtm.rtm_seq != 1));
 	close(s);
+	if(l <= 0) {
+		syslog(LOG_WARNING, "no matching ROUTE response message");
+		return -1;
+	}
 	p = m_rtmsg.m_space;
 	if(rtm.rtm_addrs) {
 		for(i=1; i<0x8000; i <<= 1) {
 			if(i & rtm.rtm_addrs) {
 				char tmp[256] = { 0 };
+				if(p >= (char *)&m_rtmsg + l) {
+					syslog(LOG_ERR, "error parsing ROUTE response message");
+					break;
+				}
 				sa = (struct sockaddr *)p;
 				sockaddr_to_string(sa, tmp, sizeof(tmp));
 				syslog(LOG_DEBUG, "type=%d sa_len=%d sa_family=%d %s",