isisd: don't overrun list of protocols

isisd currently has a list of supported protocols as a fixed array of
size 4.  this can be overran, leading to an overwrite of the ipv4_addrs
pointer.

  * isisd/isis_pdu.c: don't accept more protocols than there's space for

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>

diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index ffc67178b4a04ac93cc6f6ceb7c419bc25142f77..bfa1e4e931fe7c11d1f52eec366989b4f7681f9a 100644 (file)
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -311,7 +311,7 @@ tlvs_to_adj_area_addrs (struct tlvs *tlvs, struct isis_adjacency *adj)
     }
 }
 
-static void
+static int
 tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
 {
   int i;
@@ -321,6 +321,8 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
     {
 
       tlv_nlpids = tlvs->nlpids;
+      if (tlv_nlpids->count > array_size (adj->nlpids.nlpids))
+        return 1;
 
       adj->nlpids.count = tlv_nlpids->count;
 
@@ -329,6 +331,7 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
          adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i];
        }
     }
+  return 0;
 }
 
 static void
@@ -548,7 +551,8 @@ process_p2p_hello (struct isis_circuit *circuit)
 
   /* which protocol are spoken ??? */
   if (found & TLVFLAG_NLPID)
-    tlvs_to_adj_nlpids (&tlvs, adj);
+    if (tlvs_to_adj_nlpids (&tlvs, adj))
+      return ISIS_ERROR;
 
   /* we need to copy addresses to the adj */
   if (found & TLVFLAG_IPV4_ADDR)