proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-11-04 13:43:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bgpd: fix illegal memory access in bgp_ls_tlv_check_size()

Browse Source 
Fix illegal memory access bgp_ls_tlv_check_size() if type is 1253.

> CID 1568377 (#4 of 4): Out-of-bounds read (OVERRUN)
> 5. overrun-local: Overrunning array bgp_linkstate_tlv_infos of 1253 16-byte elements at element index 1253 (byte offset 20063) using index type (which evaluates to 1253).

Fixes: 7e0d9ff8ba ("bgpd: display link-state prefixes detail")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
This commit is contained in:
Louis Scalbert 2023-09-28 15:27:27 +02:00
parent eb9e286511
commit dae5791c44
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bgpd/bgp_linkstate_tlv.c
View File

@ -31,7 +31,7 @@ struct bgp_linkstate_tlv_info {
#define UNDEF_MULTPL 1
/* clang-format off */
struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX] = {
struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX + 1] = {
/* NLRI TLV */
[BGP_LS_TLV_LOCAL_NODE_DESCRIPTORS] = {"Local Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
[BGP_LS_TLV_REMOTE_NODE_DESCRIPTORS] = {"Remote Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
@ -1706,7 +1706,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
json_tlv = json_object_new_object();
json_object_object_add(json, tlv_type, json_tlv);
if (type < BGP_LS_TLV_MAX &&
if (type <= BGP_LS_TLV_MAX &&
bgp_linkstate_tlv_infos[type].descr != NULL)
json_object_string_add(
json_tlv, "description",
@ -1721,7 +1721,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
"too high length received: %u", length);
break;
}
if (type < BGP_LS_TLV_MAX &&
if (type <= BGP_LS_TLV_MAX &&
bgp_linkstate_tlv_infos[type].descr != NULL &&
!bgp_ls_tlv_check_size(type, length))
json_object_string_addf(
@ -1729,7 +1729,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
"unexpected length received: %u",
length);
} else {
if (type < BGP_LS_TLV_MAX &&
if (type <= BGP_LS_TLV_MAX &&
bgp_linkstate_tlv_infos[type].descr != NULL)
vty_out(vty, "%*s%s: ", indent, "",
bgp_linkstate_tlv_infos[type].descr);

2
bgpd/bgp_linkstate_tlv.h
View File

@ -197,7 +197,7 @@ enum bgp_linkstate_tlv {
1251, /* draft-ietf-idr-bgpls-srv6-ext-08 */
BGP_LS_TLV_SRV6_SID_STRUCTURE_TLV =
1252, /* draft-ietf-idr-bgpls-srv6-ext-08 */
BGP_LS_TLV_MAX = 1253, /* max TLV value for table size*/
BGP_LS_TLV_MAX = 1252, /* max TLV value for table size*/
};
/* RFC7752 #3.2.1.4 IGP router-ID */