bgpd: fix illegal memory access in bgp_ls_tlv_check_size()

Fix illegal memory access bgp_ls_tlv_check_size() if type is 1253.

> CID 1568377 (#4 of 4): Out-of-bounds read (OVERRUN)
> 5. overrun-local: Overrunning array bgp_linkstate_tlv_infos of 1253 16-byte elements at element index 1253 (byte offset 20063) using index type (which evaluates to 1253).

Fixes: 7e0d9ff8ba ("bgpd: display link-state prefixes detail")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
index 5538f7a761d30fab1fc83f963d83be10f72ddc94..6b7d8d2f3eccd0e9f9e4e9be5ab241965f02c969 100644 (file)
--- a/bgpd/bgp_linkstate_tlv.c
+++ b/bgpd/bgp_linkstate_tlv.c
@@ -31,7 +31,7 @@ struct bgp_linkstate_tlv_info {
 #define UNDEF_MULTPL 1
 
 /* clang-format off */
-struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX] = {
+struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX + 1] = {
        /* NLRI TLV */
        [BGP_LS_TLV_LOCAL_NODE_DESCRIPTORS] = {"Local Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
        [BGP_LS_TLV_REMOTE_NODE_DESCRIPTORS] = {"Remote Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
@@ -1706,7 +1706,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
                        json_tlv = json_object_new_object();
                        json_object_object_add(json, tlv_type, json_tlv);
 
-                       if (type < BGP_LS_TLV_MAX &&
+                       if (type <= BGP_LS_TLV_MAX &&
                            bgp_linkstate_tlv_infos[type].descr != NULL)
                                json_object_string_add(
                                        json_tlv, "description",
@@ -1721,7 +1721,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
                                        "too high length received: %u", length);
                                break;
                        }
-                       if (type < BGP_LS_TLV_MAX &&
+                       if (type <= BGP_LS_TLV_MAX &&
                            bgp_linkstate_tlv_infos[type].descr != NULL &&
                            !bgp_ls_tlv_check_size(type, length))
                                json_object_string_addf(
@@ -1729,7 +1729,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
                                        "unexpected length received: %u",
                                        length);
                } else {
-                       if (type < BGP_LS_TLV_MAX &&
+                       if (type <= BGP_LS_TLV_MAX &&
                            bgp_linkstate_tlv_infos[type].descr != NULL)
                                vty_out(vty, "%*s%s: ", indent, "",
                                        bgp_linkstate_tlv_infos[type].descr);

diff --git a/bgpd/bgp_linkstate_tlv.h b/bgpd/bgp_linkstate_tlv.h
index ad3b2570d671ea28854479a3bbded9e0ca91f6ad..cc543735b77f096c9105d5660c2695baee51524f 100644 (file)
--- a/bgpd/bgp_linkstate_tlv.h
+++ b/bgpd/bgp_linkstate_tlv.h
@@ -197,7 +197,7 @@ enum bgp_linkstate_tlv {
                1251, /* draft-ietf-idr-bgpls-srv6-ext-08 */
        BGP_LS_TLV_SRV6_SID_STRUCTURE_TLV =
                1252,          /* draft-ietf-idr-bgpls-srv6-ext-08 */
-       BGP_LS_TLV_MAX = 1253, /* max TLV value for table size*/
+       BGP_LS_TLV_MAX = 1252, /* max TLV value for table size*/
 };
 
 /* RFC7752 #3.2.1.4 IGP router-ID */