proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-06-04 00:37:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bgpd: fix insecure data write with area addresses

Browse Source 
Fix an issue where an attacker may inject a tainted length value to
corrupt the memory.

> CID 1568380 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
> 9. tainted_data: Passing tainted expression length to bgp_linkstate_nlri_value_display, which uses it as an offset

Fixes: 8b531b1107 ("bgpd: store and send bgp link-state attributes")  Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
This commit is contained in:
Louis Scalbert 2023-09-28 16:55:43 +02:00
parent 54222f9213
commit 57d0dc565f
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
bgpd/bgp_linkstate_tlv.c
View File

@ -1528,6 +1528,11 @@ static void bgp_linkstate_tlv_isis_area_indentifier_display(struct vty *vty,
{
struct iso_address addr;
if (length > sizeof(addr.area_addr)) {
bgp_linkstate_tlv_hexa_display(vty, pnt, length, json);
return;
}
addr.addr_len = length;
memcpy(addr.area_addr, pnt, length);