git.puffer.fish Git - matthieu/frr.git/commit

bgpd: Check if we have really enough data before doing memcpy for software version

If we receive CAPABILITY message (software-version), we SHOULD check if we really
have enough data before doing memcpy(), that could also lead to buffer overflow.

(data + len > end) is not enough, because after this check we do data++ and later
memcpy(..., data, len). That means we have one more byte.

Hit this through fuzzing by

```
    0 0xaaaaaadf872c in __asan_memcpy (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x35872c) (BuildId: 9c6e455d0d9a20f5a4d2f035b443f50add9564d7)
    1 0xaaaaab06bfbc in bgp_dynamic_capability_software_version /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3713:3
    2 0xaaaaab05ccb4 in bgp_capability_msg_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3839:4
    3 0xaaaaab05c074 in bgp_capability_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3980:9
    4 0xaaaaab05e48c in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4109:11
    5 0xaaaaaae36150 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```

Hit this again by Iggy \m/

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 5d7af51c4f7980507135babd94d392ca179c1bf7)

author	Donatas Abraitis <donatas@opensourcerouting.org>
	Wed, 12 Jun 2024 19:54:45 +0000 (22:54 +0300)
committer	Mergify <37929162+mergify[bot]@users.noreply.github.com>
	Mon, 24 Jun 2024 20:40:00 +0000 (20:40 +0000)
commit	9f1e1eb14271971c1835a72ec5dd9e6a1a2d13b8
tree	6a304e09560978f5243507a67277d1fd8d087d9c	tree \| snapshot
parent	325c63c6ad147e5d8e58c5978e7a2737125685b4	commit \| diff