proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-04-28 17:42:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

isisd: fix crash when reading asla

Browse Source 
isisd is crashing when reading a ASLA sub-TLV with Application
Identifier Bit Mask length greater than 1 octet.

Set a limit of 8 bytes in accordance with RFC9479 and check that the
received value does not exceed the limit.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Link: https://www.rfc-editor.org/rfc/rfc9479.html#name-application-identifier-bit-
Fixes: 5749ac83a8 ("isisd: add ASLA support")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
(cherry picked from commit f1bc6c5d81)
This commit is contained in:
Louis Scalbert 2024-09-02 10:26:57 +02:00 committed by Mergify
parent cc7f633ef0
commit 2fd7f40dc9
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
isisd/isis_tlvs.c
View File

@ -1564,8 +1564,8 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
uint8_t sabm_flag_len;
/* User-defined App Identifier Bit Flags/Length */
uint8_t uabm_flag_len;
uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 };
uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 };
uint8_t readable = subtlv_len;
uint8_t subsubtlv_type;
uint8_t subsubtlv_len;
@ -1596,6 +1596,15 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
return -1;
}
if ((asla->standard_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH) ||
(asla->user_def_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH)) {
zlog_err("Standard or User-Defined Application Identifier Bit Mask Length greater than %u bytes. Received respectively a length of %u and %u bytes.",
ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH,
asla->standard_apps_length, asla->user_def_apps_length);
stream_forward_getp(s, readable);
return -1;
}
for (int i = 0; i < asla->standard_apps_length; i++)
sabm[i] = stream_getc(s);
for (int i = 0; i < asla->user_def_apps_length; i++)

1
isisd/isis_tlvs.h
View File

@ -717,6 +717,7 @@ struct isis_ext_subtlvs {
#define ISIS_SABM_FLAG_X 0x10 /* Flex-Algorithm - RFC9350 */
#define ASLA_APP_IDENTIFIER_BIT_LENGTH 1
#define ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH 8
#define ASLA_LEGACY_FLAG 0x80
#define ASLA_APPS_LENGTH_MASK 0x7f