proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-05-02 18:56:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

babeld: fix #10487 by adding a check on packet length

Browse Source 
The body length of a packet should satisfy the condition:
packetlen >= bodylen + 4. Otherwise, heap overflows may happen.

Signed-off-by: whichbug <whichbug@github.com>
This commit is contained in:
whichbug 2022-02-03 12:01:31 -05:00
parent a89a78236c
commit 50044ec7fe
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
babeld/message.c
View File

@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
static int static int
babel_packet_examin(const unsigned char *packet, int packetlen) babel_packet_examin(const unsigned char *packet, int packetlen)
{ {
unsigned i = 0, bodylen; int i = 0, bodylen;
const unsigned char *message; const unsigned char *message;
unsigned char type, len; unsigned char type, len;
if(packetlen < 4 || packet[0] != 42 || packet[1] != 2) if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
return 1; return 1;
DO_NTOHS(bodylen, packet + 2); DO_NTOHS(bodylen, packet + 2);
if(bodylen + 4 > packetlen) {
debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
bodylen, packetlen);
return 1;
}
while (i < bodylen){ while (i < bodylen){
message = packet + 4 + i; message = packet + 4 + i;
type = message[0]; type = message[0];
@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
DO_NTOHS(bodylen, packet + 2); DO_NTOHS(bodylen, packet + 2);
if(bodylen + 4 > packetlen) {
flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
bodylen, packetlen);
bodylen = packetlen - 4;
}
i = 0; i = 0;
while(i < bodylen) { while(i < bodylen) {
message = packet + 4 + i; message = packet + 4 + i;