]> git.puffer.fish Git - matthieu/frr.git/commitdiff
projects / matthieu / frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 25408c8)
bgpd: fix insecure data write with ip addresses
authorLouis Scalbert <louis.scalbert@6wind.com>
Thu, 28 Sep 2023 14:53:35 +0000 (16:53 +0200)
committerLouis Scalbert <louis.scalbert@6wind.com>
Thu, 28 Sep 2023 15:51:23 +0000 (17:51 +0200)
Fix issues where an attacker may inject a tainted length value to
corrupt the memory.

> CID 1568378 (#1-6 of 6): Untrusted value as argument (TAINTED_SCALAR)
> 16. tainted_data: Passing tainted expression length to bgp_linkstate_tlv_attribute_value_display, which uses it as an offset. [show details]

Fixes: 7e0d9ff8ba ("bgpd: display link-state prefixes detail")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
bgpd/bgp_linkstate_tlv.c patch | blob | history

diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
index 6b7d8d2f3eccd0e9f9e4e9be5ab241965f02c969..1594d8fd9552b04fea3abd490f1c77a459a8767c 100644 (file)
--- a/bgpd/bgp_linkstate_tlv.c
+++ b/bgpd/bgp_linkstate_tlv.c
@@ -577,7 +577,8 @@ static bool bgp_linkstate_nlri_value_display(char *buf, size_t size,
                break;
        case BGP_LS_TLV_IP_REACHABILITY_INFORMATION:
                mask_length = pnt_decode8(&pnt);
-               if (nlri_type == BGP_LINKSTATE_PREFIX4) {
+               if (nlri_type == BGP_LINKSTATE_PREFIX4 &&
+                   ((length - sizeof(mask_length)) <= sizeof(ipv4.s_addr))) {
                        memcpy(&ipv4.s_addr, pnt, length - sizeof(mask_length));
                        if (json)
                                json_object_string_addf(json, "ipReachability",
@@ -587,7 +588,8 @@ static bool bgp_linkstate_nlri_value_display(char *buf, size_t size,
                                snprintfrr(buf, size, "%sIPv4:%pI4/%u",
                                           first ? "" : " ", &ipv4,
                                           mask_length);
-               } else if (nlri_type == BGP_LINKSTATE_PREFIX6) {
+               } else if (nlri_type == BGP_LINKSTATE_PREFIX6 &&
+                          ((length - sizeof(mask_length)) <= sizeof(ipv6))) {
                        memcpy(&ipv6, pnt, length - sizeof(mask_length));
                        if (json)
                                json_object_string_addf(json, "ipReachability",
Unnamed repository; edit this file 'description' to name the repository.