proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-05-31 07:51:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #13758 from cscarpitta/bugfix/fix-read-beyond-stream-isis-asla

Browse Source 
isisd: Fix read beyond end of stream of ASLA Sub-TLV parsing
This commit is contained in:
Russ White 2023-06-20 09:19:23 -04:00 committed by GitHub
commit e6b33e137f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
isisd/isis_tlvs.c
View File

@ -1133,7 +1133,7 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
uint8_t uabm_flag_len; uint8_t uabm_flag_len;
uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0}; uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0}; uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
uint8_t readable; uint8_t readable = subtlv_len;
uint8_t subsubtlv_type; uint8_t subsubtlv_type;
uint8_t subsubtlv_len; uint8_t subsubtlv_len;
size_t nb_groups; size_t nb_groups;
@ -1156,15 +1156,23 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
asla->standard_apps_length = ASLA_APPS_LENGTH_MASK & sabm_flag_len; asla->standard_apps_length = ASLA_APPS_LENGTH_MASK & sabm_flag_len;
asla->user_def_apps_length = ASLA_APPS_LENGTH_MASK & uabm_flag_len; asla->user_def_apps_length = ASLA_APPS_LENGTH_MASK & uabm_flag_len;
readable -= ISIS_SUBSUBTLV_HDR_SIZE;
if (readable <
asla->standard_apps_length + asla->user_def_apps_length) {
TLV_SIZE_MISMATCH(log, indent, "ASLA");
return -1;
}
for (int i = 0; i < asla->standard_apps_length; i++) for (int i = 0; i < asla->standard_apps_length; i++)
sabm[i] = stream_getc(s); sabm[i] = stream_getc(s);
for (int i = 0; i < asla->user_def_apps_length; i++) for (int i = 0; i < asla->user_def_apps_length; i++)
uabm[i] = stream_getc(s); uabm[i] = stream_getc(s);
readable -= (asla->standard_apps_length + asla->user_def_apps_length);
asla->standard_apps = sabm[0]; asla->standard_apps = sabm[0];
asla->user_def_apps = uabm[0]; asla->user_def_apps = uabm[0];
readable = subtlv_len - 4;
while (readable > 0) { while (readable > 0) {
if (readable < ISIS_SUBSUBTLV_HDR_SIZE) { if (readable < ISIS_SUBSUBTLV_HDR_SIZE) {
TLV_SIZE_MISMATCH(log, indent, "ASLA Sub TLV"); TLV_SIZE_MISMATCH(log, indent, "ASLA Sub TLV");