bgpd: fix insecure data write with area addresses

Fix an issue where an attacker may inject a tainted length value to
corrupt the memory.

> CID 1568380 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
> 9. tainted_data: Passing tainted expression length to bgp_linkstate_nlri_value_display, which uses it as an offset

Fixes: 8b531b1107 ("bgpd: store and send bgp link-state attributes")  Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
index 1594d8fd9552b04fea3abd490f1c77a459a8767c..f2bd36524d3fd4eb642f546d2235d8be07d68b97 100644 (file)
--- a/bgpd/bgp_linkstate_tlv.c
+++ b/bgpd/bgp_linkstate_tlv.c
@@ -1528,6 +1528,11 @@ static void bgp_linkstate_tlv_isis_area_indentifier_display(struct vty *vty,
 {
        struct iso_address addr;
 
+       if (length > sizeof(addr.area_addr)) {
+               bgp_linkstate_tlv_hexa_display(vty, pnt, length, json);
+               return;
+       }
+
        addr.addr_len = length;
        memcpy(addr.area_addr, pnt, length);