]> git.puffer.fish Git - matthieu/frr.git/commitdiff
projects / matthieu / frr.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab09ebf)
bgpd: Fix use beyond end of stream of labeled unicast parsing
authorDonald Sharp <sharpd@nvidia.com>
Sat, 4 Mar 2023 02:58:33 +0000 (21:58 -0500)
committerMergify <37929162+mergify[bot]@users.noreply.github.com>
Sun, 5 Mar 2023 18:52:31 +0000 (18:52 +0000)
Fixes a couple crashes associated with attempting to read
beyond the end of the stream.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b)

bgpd/bgp_label.c patch | blob | history

diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
index 38f34a8927027fb63e69c54313af4019e866113e..64d1ff70ca2241bdd04f9b63f6a95fb258cb3334 100644 (file)
--- a/bgpd/bgp_label.c
+++ b/bgpd/bgp_label.c
@@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
        uint8_t llen = 0;
        uint8_t label_depth = 0;
 
+       if (plen < BGP_LABEL_BYTES)
+               return 0;
+
        for (; data < lim; data += BGP_LABEL_BYTES) {
                memcpy(label, data, BGP_LABEL_BYTES);
                llen += BGP_LABEL_BYTES;
@@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
                        memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
                        addpath_id = ntohl(addpath_id);
                        pnt += BGP_ADDPATH_ID_LEN;
+
+                       if (pnt >= lim)
+                               return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
                }
 
                /* Fetch prefix length. */
@@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 
                /* Fill in the labels */
                llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
+               if (llen == 0) {
+                       flog_err(
+                               EC_BGP_UPDATE_RCV,
+                               "%s [Error] Update packet error (wrong label length 0)",
+                               peer->host);
+                       bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
+                                       BGP_NOTIFY_UPDATE_INVAL_NETWORK);
+                       return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
+               }
                p.prefixlen = prefixlen - BSIZE(llen);
 
                /* There needs to be at least one label */
Unnamed repository; edit this file 'description' to name the repository.