proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-14 12:25:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #7980 from gromit1811/fix_ospf6_lsa_str_oob

Browse Source 
Fix ospf6 LSA formatting out-of-bounds access
This commit is contained in:
Russ White 2021-02-09 07:36:29 -05:00 committed by GitHub
commit a384dd69d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ospf6d/ospf6_intra.c
View File

@ -76,7 +76,8 @@ static char *ospf6_router_lsa_get_nbr_id(struct ospf6_lsa *lsa, char *buf,
*)(start *)(start
+ pos * (sizeof(struct + pos * (sizeof(struct
ospf6_router_lsdesc))); ospf6_router_lsdesc)));
if ((char *)lsdesc < end) { if ((char *)lsdesc + sizeof(struct ospf6_router_lsdesc)
<= end) {
if (buf && (buflen > INET_ADDRSTRLEN * 2)) { if (buf && (buflen > INET_ADDRSTRLEN * 2)) {
inet_ntop(AF_INET, inet_ntop(AF_INET,
&lsdesc->neighbor_interface_id, buf1, &lsdesc->neighbor_interface_id, buf1,
@ -652,7 +653,7 @@ static char *ospf6_link_lsa_get_prefix_str(struct ospf6_lsa *lsa, char *buf,
end = (char *)lsa->header + ntohs(lsa->header->length); end = (char *)lsa->header + ntohs(lsa->header->length);
current = start; current = start;
do { while (current + sizeof(struct ospf6_prefix) <= end) {
prefix = (struct ospf6_prefix *)current; prefix = (struct ospf6_prefix *)current;
if (prefix->prefix_length == 0 if (prefix->prefix_length == 0
|| current + OSPF6_PREFIX_SIZE(prefix) > end) { || current + OSPF6_PREFIX_SIZE(prefix) > end) {
@ -670,7 +671,7 @@ static char *ospf6_link_lsa_get_prefix_str(struct ospf6_lsa *lsa, char *buf,
inet_ntop(AF_INET6, &in6, buf, buflen); inet_ntop(AF_INET6, &in6, buf, buflen);
return (buf); return (buf);
} }
} while (current <= end); }
} }
return NULL; return NULL;
} }
@ -881,7 +882,7 @@ static char *ospf6_intra_prefix_lsa_get_prefix_str(struct ospf6_lsa *lsa,
end = (char *)lsa->header + ntohs(lsa->header->length); end = (char *)lsa->header + ntohs(lsa->header->length);
current = start; current = start;
do { while (current + sizeof(struct ospf6_prefix) <= end) {
prefix = (struct ospf6_prefix *)current; prefix = (struct ospf6_prefix *)current;
if (prefix->prefix_length == 0 if (prefix->prefix_length == 0
|| current + OSPF6_PREFIX_SIZE(prefix) > end) { || current + OSPF6_PREFIX_SIZE(prefix) > end) {
@ -901,7 +902,7 @@ static char *ospf6_intra_prefix_lsa_get_prefix_str(struct ospf6_lsa *lsa,
prefix->prefix_length); prefix->prefix_length);
return (buf); return (buf);
} }
} while (current <= end); }
} }
return NULL; return NULL;
} }