ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)

This vulnerability (CERT-FI #514838) was reported by CROSS project.

The error is reproducible only when ospfd debugging is enabled:
  * debug ospf packet all
  * debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.

* ospf_packet.c
  * ospf_verify_header(): add type field check
  * ospf_read(): perform input checks early
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 5727878..151ed32 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2321,6 +2321,13 @@
       return -1;
     }
 
+  /* Valid OSPFv2 packet types are 1 through 5 inclusive. */
+  if (ospfh->type < 1 || ospfh->type > 5)
+  {
+    zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type);
+    return -1;
+  }
+
   /* Check Area ID. */
   if (!ospf_check_area_id (oi, ospfh))
     {
@@ -2448,6 +2455,17 @@
   /* associate packet with ospf interface */
   oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
 
+  /* Verify header fields before any further processing. */
+  ret = ospf_verify_header (ibuf, oi, iph, ospfh);
+  if (ret < 0)
+  {
+    if (IS_DEBUG_OSPF_PACKET (0, RECV))
+      zlog_debug ("ospf_read[%s]: Header check failed, "
+                  "dropping.",
+                  inet_ntoa (iph->ip_src));
+    return ret;
+  }
+
   /* If incoming interface is passive one, ignore it. */
   if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)
     {
@@ -2557,20 +2575,6 @@
 	zlog_debug ("-----------------------------------------------------");
   }
 
-  /* Some header verification. */
-  ret = ospf_verify_header (ibuf, oi, iph, ospfh);
-  if (ret < 0)
-    {
-      if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV))
-        {
-          zlog_debug ("ospf_read[%s/%s]: Header check failed, "
-                     "dropping.",
-                     ospf_packet_type_str[ospfh->type],
-                     inet_ntoa (iph->ip_src));
-        }
-      return ret;
-    }
-
   stream_forward_getp (ibuf, OSPF_HEADER_SIZE);
 
   /* Adjust size to message length. */