From: David Lamparter Date: Tue, 8 May 2012 11:32:53 +0000 (+0200) Subject: isisd: don't overrun list of protocols X-Git-Tag: frr-2.0-rc1~1765 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=655071f44aab42e89bcece3a93da456fdd0d913a;p=matthieu%2Ffrr.git isisd: don't overrun list of protocols isisd currently has a list of supported protocols as a fixed array of size 4. this can be overran, leading to an overwrite of the ipv4_addrs pointer. * isisd/isis_pdu.c: don't accept more protocols than there's space for Signed-off-by: David Lamparter --- diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c index ffc67178b4..bfa1e4e931 100644 --- a/isisd/isis_pdu.c +++ b/isisd/isis_pdu.c @@ -311,7 +311,7 @@ tlvs_to_adj_area_addrs (struct tlvs *tlvs, struct isis_adjacency *adj) } } -static void +static int tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { int i; @@ -321,6 +321,8 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { tlv_nlpids = tlvs->nlpids; + if (tlv_nlpids->count > array_size (adj->nlpids.nlpids)) + return 1; adj->nlpids.count = tlv_nlpids->count; @@ -329,6 +331,7 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i]; } } + return 0; } static void @@ -548,7 +551,8 @@ process_p2p_hello (struct isis_circuit *circuit) /* which protocol are spoken ??? */ if (found & TLVFLAG_NLPID) - tlvs_to_adj_nlpids (&tlvs, adj); + if (tlvs_to_adj_nlpids (&tlvs, adj)) + return ISIS_ERROR; /* we need to copy addresses to the adj */ if (found & TLVFLAG_IPV4_ADDR)