proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-07-27 15:23:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bgpd: Make sure we have enough data to read two bytes when validating AIGP

Browse Source 
Found when fuzzing:

```
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
    3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
```

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit f96201e104)
This commit is contained in:
Donatas Abraitis 2023-08-18 11:28:03 +03:00 committed by Mergify
parent 9993bc19ad
commit 460ee930d6
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bgpd/bgp_attr.c
View File

@ -513,6 +513,7 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
uint8_t *data = pnt;
uint8_t tlv_type;
uint16_t tlv_length;
uint8_t *end = data + length;
if (length < 3) {
zlog_err("Bad AIGP attribute length (MUST be minimum 3): %u",
@ -521,7 +522,13 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
}
while (length) {
size_t data_len = end - data;
tlv_type = *data;
if (data_len - 1 < 2)
return false;
ptr_get_be16(data + 1, &tlv_length);
(void)data;