From f01828a1d77ef8d4edd93b4c5f793c5a8f9a6e85 Mon Sep 17 00:00:00 2001 From: Pat Ruddy Date: Sun, 14 Feb 2021 11:39:50 +0000 Subject: [PATCH 1/3] bgpd: mplsvpn SNMP correctly validate incoming rt_index check that RT index is in the allowed range Signed-off-by: Pat Ruddy --- bgpd/bgp_mplsvpn_snmp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_mplsvpn_snmp.c b/bgpd/bgp_mplsvpn_snmp.c index 055bae8432..e8084924f5 100644 --- a/bgpd/bgp_mplsvpn_snmp.c +++ b/bgpd/bgp_mplsvpn_snmp.c @@ -1023,14 +1023,17 @@ static struct bgp *bgpL3vpnVrfRt_lookup(struct variable *v, oid name[], *rt_type = name[namelen + vrf_name_len + sizeof(uint32_t)]; } + /* validate the RT index is in range */ + if (*rt_index > AFI_IP6) + return NULL; + if (exact) { l3vpn_bgp = bgp_lookup_by_name(vrf_name); if (l3vpn_bgp && !is_bgp_vrf_mplsvpn(l3vpn_bgp)) return NULL; if (!l3vpn_bgp) return NULL; - /* check the index and type match up */ - if ((*rt_index != AFI_IP) || (*rt_index != AFI_IP6)) + if ((*rt_index != AFI_IP) && (*rt_index != AFI_IP6)) return NULL; /* do we have RT config */ if (!(l3vpn_bgp->vpn_policy[*rt_index] From 23b88a967da32cc719554e50187127a9cc6d5b42 Mon Sep 17 00:00:00 2001 From: Pat Ruddy Date: Sun, 14 Feb 2021 12:08:08 +0000 Subject: [PATCH 2/3] bgpd: mplsvpn snmp: NULL check correct pointer Check the dereferenced pointer to the bgp instance and not the pointer to it. Signed-off-by: Pat Ruddy --- bgpd/bgp_mplsvpn_snmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bgpd/bgp_mplsvpn_snmp.c b/bgpd/bgp_mplsvpn_snmp.c index e8084924f5..7047607e5d 100644 --- a/bgpd/bgp_mplsvpn_snmp.c +++ b/bgpd/bgp_mplsvpn_snmp.c @@ -1461,7 +1461,7 @@ static struct bgp_path_info *bgpL3vpnRte_lookup(struct variable *v, oid name[], /* otherwise lookup the one we have */ *l3vpn_bgp = bgp_lookup_by_name(vrf_name); - if (l3vpn_bgp == NULL) + if (*l3vpn_bgp == NULL) return NULL; pi = bgp_lookup_route_next(l3vpn_bgp, dest, &prefix, policy, From 5a224c19f195c03275011b0b642b844182485334 Mon Sep 17 00:00:00 2001 From: Pat Ruddy Date: Sun, 14 Feb 2021 12:09:55 +0000 Subject: [PATCH 3/3] bgpd, lib: add oid2in6_addr utility and use it The existing code was using the oid2in_addr API to copy IPv6 addresses passing an IPv6 length. Create a utility to do this properly and avoid annoying coverity with type checking. Signed-off-by: Pat Ruddy --- bgpd/bgp_mplsvpn_snmp.c | 6 ++---- lib/smux.h | 1 + lib/snmp.c | 11 +++++++++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/bgpd/bgp_mplsvpn_snmp.c b/bgpd/bgp_mplsvpn_snmp.c index 7047607e5d..b74cf37ac7 100644 --- a/bgpd/bgp_mplsvpn_snmp.c +++ b/bgpd/bgp_mplsvpn_snmp.c @@ -1411,8 +1411,7 @@ static struct bgp_path_info *bgpL3vpnRte_lookup(struct variable *v, oid name[], break; case INETADDRESSTYPEIPV6: prefix.family = AF_INET6; - oid2in_addr(&name[i], sizeof(struct in6_addr), - &prefix.u.prefix4); /* sic */ + oid2in6_addr(&name[i], &prefix.u.prefix6); i += sizeof(struct in6_addr); break; } @@ -1434,8 +1433,7 @@ static struct bgp_path_info *bgpL3vpnRte_lookup(struct variable *v, oid name[], break; case INETADDRESSTYPEIPV6: nexthop.ipa_type = IPADDR_V6; - oid2in_addr(&name[i], sizeof(struct in6_addr), - &nexthop.ip._v4_addr); /* sic */ + oid2in6_addr(&name[i], &nexthop.ip._v6_addr); /* i += sizeof(struct in6_addr); */ break; } diff --git a/lib/smux.h b/lib/smux.h index e07df2369f..11c1becd60 100644 --- a/lib/smux.h +++ b/lib/smux.h @@ -143,6 +143,7 @@ extern int smux_trap_multi_index(struct variable *vp, size_t vp_len, size_t trapobjlen, uint8_t sptrap); extern int oid_compare(const oid *, int, const oid *, int); extern void oid2in_addr(oid[], int, struct in_addr *); +extern void oid2in6_addr(oid oid[], struct in6_addr *addr); extern void oid2int(oid oid[], int *dest); extern void *oid_copy(void *, const void *, size_t); extern void oid_copy_addr(oid[], const struct in_addr *, int); diff --git a/lib/snmp.c b/lib/snmp.c index e92f622bb9..17a4ed4a1d 100644 --- a/lib/snmp.c +++ b/lib/snmp.c @@ -64,6 +64,17 @@ void oid2in_addr(oid oid[], int len, struct in_addr *addr) *pnt++ = oid[i]; } +void oid2in6_addr(oid oid[], struct in6_addr *addr) +{ + unsigned int i; + uint8_t *pnt; + + pnt = (uint8_t *)addr; + + for (i = 0; i < sizeof(struct in6_addr); i++) + *pnt++ = oid[i]; +} + void oid2int(oid oid[], int *dest) { uint8_t i;