proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-15 11:30:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #5337 from opensourcerouting/ldpd-buffer-overflow-7.1

Browse Source 
[7.1] ldpd: add missing sanity check in the parsing of label messages
This commit is contained in:
Sri Mohana Singamsetty 2019-11-15 15:38:45 -08:00 committed by GitHub
commit 9e37611dd0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ldpd/labelmapping.c
View File

@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf,
/* Prefix Length */ /* Prefix Length */
map->fec.prefix.prefixlen = buf[off]; map->fec.prefix.prefixlen = buf[off];
off += sizeof(uint8_t); off += sizeof(uint8_t);
if ((map->fec.prefix.af == AF_IPV4
&& map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN)
|| (map->fec.prefix.af == AF_IPV6
&& map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) {
session_shutdown(nbr, S_BAD_TLV_VAL, msg->id,
msg->type);
return (-1);
}
if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) { if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) {
session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, session_shutdown(nbr, S_BAD_TLV_LEN, msg->id,
msg->type); msg->type);