proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-05-28 04:08:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #12433 from donaldsharp/more_use_after_use_and_use

Browse Source 
bgpd: Fix 2 read beyond end of streams in bgp srv6 packet processing
This commit is contained in:
Donatas Abraitis 2022-12-05 22:46:07 +02:00 committed by GitHub
commit f44032cfc8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
bgpd/bgp_attr.c
View File

@ -2702,6 +2702,18 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args)
}
if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) {
if (STREAM_READABLE(peer->curr) <
BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) {
flog_err(
EC_BGP_ATTR_LEN,
"Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %u, have %zu remaining in UPDATE)",
BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH,
STREAM_READABLE(peer->curr));
return bgp_attr_malformed(
args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
args->total);
}
loc_block_len = stream_getc(peer->curr);
loc_node_len = stream_getc(peer->curr);
func_len = stream_getc(peer->curr);
@ -2774,6 +2786,17 @@ bgp_attr_srv6_service(struct bgp_attr_parser_args *args)
}
if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO) {
if (STREAM_READABLE(peer->curr) <
BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH) {
flog_err(
EC_BGP_ATTR_LEN,
"Malformed SRv6 Service Sub-TLV attribute - insufficent data (need %d for attribute data, have %zu remaining in UPDATE)",
BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH,
STREAM_READABLE(peer->curr));
return bgp_attr_malformed(
args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
args->total);
}
stream_getc(peer->curr);
stream_get(&ipv6_sid, peer->curr, sizeof(ipv6_sid));
sid_flags = stream_getc(peer->curr);