proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-05-29 10:48:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

zebra: fix incoming FPM message length validation

Browse Source 
Validate incoming message length against correct
(struct rtmsg) len, not top-level netlink message header size.

Signed-off-by: Mark Stapp <mjs@cisco.com>
This commit is contained in:
Mark Stapp 2024-06-05 14:37:41 -04:00
parent 2871a4e8cb
commit 28d2e126c7
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
zebra/dplane_fpm_nl.c
View File

@ -654,14 +654,6 @@ static void fpm_read(struct event *t)
hdr_available_bytes = fpm.msg_len - FPM_MSG_HDR_LEN; hdr_available_bytes = fpm.msg_len - FPM_MSG_HDR_LEN;
available_bytes -= hdr_available_bytes; available_bytes -= hdr_available_bytes;
/* Sanity check: must be at least header size. */
if (hdr->nlmsg_len < sizeof(*hdr)) {
zlog_warn(
"%s: [seq=%u] invalid message length %u (< %zu)",
__func__, hdr->nlmsg_seq, hdr->nlmsg_len,
sizeof(*hdr));
continue;
}
if (hdr->nlmsg_len > fpm.msg_len) { if (hdr->nlmsg_len > fpm.msg_len) {
zlog_warn( zlog_warn(
"%s: Received a inner header length of %u that is greater than the fpm total length of %u", "%s: Received a inner header length of %u that is greater than the fpm total length of %u",
@ -691,6 +683,14 @@ static void fpm_read(struct event *t)
switch (hdr->nlmsg_type) { switch (hdr->nlmsg_type) {
case RTM_NEWROUTE: case RTM_NEWROUTE:
/* Sanity check: need at least route msg header size. */
if (hdr->nlmsg_len < sizeof(struct rtmsg)) {
zlog_warn("%s: [seq=%u] invalid message length %u (< %zu)",
__func__, hdr->nlmsg_seq,
hdr->nlmsg_len, sizeof(struct rtmsg));
break;
}
ctx = dplane_ctx_alloc(); ctx = dplane_ctx_alloc();
dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL, dplane_ctx_route_init(ctx, DPLANE_OP_ROUTE_NOTIFY, NULL,
NULL); NULL);