proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-06-13 17:49:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

babeld: fix #10502 #10503 by repairing the checks on length

Browse Source 
This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
This commit is contained in:
qingkaishi 2022-02-04 16:41:11 -05:00
parent 2da1428ab2
commit c3793352a8
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
babeld/message.c
View File

@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
continue; continue;
} }
if(i + 1 > alen) { if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes."); flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return; return;
} }
len = a[i + 1]; len = a[i + 1];
if(i + len > alen) { if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes."); flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return; return;
} }
@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0; int type, len, i = 0, ret = 0;
while(i < alen) { while(i < alen) {
type = a[0]; type = a[i];
if(type == SUBTLV_PAD1) { if(type == SUBTLV_PAD1) {
i++; i++;
continue; continue;
} }
if(i + 1 > alen) { if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET, flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message."); "Received truncated sub-TLV on Hello message.");
return -1; return -1;
} }
len = a[i + 1]; len = a[i + 1];
if(i + len > alen) { if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET, flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message."); "Received truncated sub-TLV on Hello message.");
return -1; return -1;
@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0; int type, len, i = 0, ret = 0;
while(i < alen) { while(i < alen) {
type = a[0]; type = a[i];
if(type == SUBTLV_PAD1) { if(type == SUBTLV_PAD1) {
i++; i++;
continue; continue;
} }
if(i + 1 > alen) { if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET, flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message."); "Received truncated sub-TLV on IHU message.");
return -1; return -1;
} }
len = a[i + 1]; len = a[i + 1];
if(i + len > alen) { if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET, flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message."); "Received truncated sub-TLV on IHU message.");
return -1; return -1;
@ -302,12 +302,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
i++; i++;
continue; continue;
} }
if(i + 1 > bodylen) { if(i + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message."); debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1; return 1;
} }
len = message[1]; len = message[1];
if(i + len > bodylen) { if(i + len + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message."); debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1; return 1;
} }