From: Carmine Scarpitta <carmine.scarpitta@uniroma2.it>
Date: Sat, 10 Jun 2023 14:08:25 +0000 (+0200)
Subject: isisd: Fix use beyond end of stream of ASLA Sub-TLV parsing
X-Git-Tag: base_9.1~347^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=2a9e0824a7bd85d5436615065f0311910106c3cf;p=mirror%2Ffrr.git

isisd: Fix use beyond end of stream of ASLA Sub-TLV parsing

Fixes a crash associated with attempting to read beyond the end of the
stream when parsing ASLA Sub-TLV.

```
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
    subtlv_len=13 '\r') at isisd/isis_tlvs.c:1473
    at isisd/isis_tlvs.c:3264
    context=<optimized out>, mtid=<optimized out>) at isisd/isis_tlvs.c:6078
    indent=4) at isisd/isis_tlvs.c:6142
    avail_len=<optimized out>, context=<optimized out>) at isisd/isis_tlvs.c:7032
    at isisd/isis_tlvs.c:7054
(gdb)
```

Caught by fuzzer.

Signed-off-by: Carmine Scarpitta <carmine.scarpitta@uniroma2.it>
---

diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 4ad877ce0f..e871ae8c4f 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -1133,7 +1133,7 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
 	uint8_t uabm_flag_len;
 	uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
 	uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
-	uint8_t readable;
+	uint8_t readable = subtlv_len;
 	uint8_t subsubtlv_type;
 	uint8_t subsubtlv_len;
 	size_t nb_groups;
@@ -1156,15 +1156,23 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
 	asla->standard_apps_length = ASLA_APPS_LENGTH_MASK & sabm_flag_len;
 	asla->user_def_apps_length = ASLA_APPS_LENGTH_MASK & uabm_flag_len;
 
+	readable -= ISIS_SUBSUBTLV_HDR_SIZE;
+	if (readable <
+	    asla->standard_apps_length + asla->user_def_apps_length) {
+		TLV_SIZE_MISMATCH(log, indent, "ASLA");
+		return -1;
+	}
+
 	for (int i = 0; i < asla->standard_apps_length; i++)
 		sabm[i] = stream_getc(s);
 	for (int i = 0; i < asla->user_def_apps_length; i++)
 		uabm[i] = stream_getc(s);
 
+	readable -= (asla->standard_apps_length + asla->user_def_apps_length);
+
 	asla->standard_apps = sabm[0];
 	asla->user_def_apps = uabm[0];
 
-	readable = subtlv_len - 4;
 	while (readable > 0) {
 		if (readable < ISIS_SUBSUBTLV_HDR_SIZE) {
 			TLV_SIZE_MISMATCH(log, indent, "ASLA Sub TLV");