proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-04-28 17:01:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ldpd: add missing sanity check in the parsing of label messages

Browse Source 
Validate that the FEC prefix length is within the allowed limit
(depending on the FEC address family) in order to prevent possible
buffer overflows.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
This commit is contained in:
Renato Westphal 2019-11-13 21:51:06 -03:00
parent b6af40b98a
commit f2e8b73572
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ldpd/labelmapping.c
View File

@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf,
/* Prefix Length */
map->fec.prefix.prefixlen = buf[off];
off += sizeof(uint8_t);
if ((map->fec.prefix.af == AF_IPV4
&& map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN)
|| (map->fec.prefix.af == AF_IPV6
&& map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) {
session_shutdown(nbr, S_BAD_TLV_VAL, msg->id,
msg->type);
return (-1);
}
if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) {
session_shutdown(nbr, S_BAD_TLV_LEN, msg->id,
msg->type);