From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 15 Apr 2017 17:25:03 +0000 (-0400)
Subject: zebra: Add some more checks to fec [un]registration
X-Git-Tag: reindent-master-before~213^2~5
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=7abc04e686fefeb76bc825e908837e55bec0efc7;p=matthieu%2Ffrr.git

zebra: Add some more checks to fec [un]registration

Be a bit more rigoruous about what we can receive
from another protocol and attempt to make the code
less likely to crash and to just safely bail
out when an error is received.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---

diff --git a/zebra/zserv.c b/zebra/zserv.c
index afbaf7eefa..416e5444ea 100644
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -934,6 +934,8 @@ zserv_rnh_unregister (struct zserv *client, int sock, u_short length,
   return 0;
 }
 
+#define ZEBRA_MIN_FEC_LENGTH 9
+
 /* FEC register */
 static int
 zserv_fec_register (struct zserv *client, int sock, u_short length)
@@ -950,10 +952,28 @@ zserv_fec_register (struct zserv *client, int sock, u_short length)
   if (!zvrf)
     return 0; // unexpected
 
+  /*
+   * The minimum amount of data that can be sent for one fec
+   * registration
+   */
+  if (length < ZEBRA_MIN_FEC_LENGTH)
+    {
+      zlog_err ("fec_register: Received a fec register of length %d, it is of insufficient size to properly decode",
+                length);
+      return -1;
+    }
+
   while (l < length)
     {
       flags = stream_getw(s);
       p.family = stream_getw(s);
+      if (p.family != AF_INET &&
+          p.family != AF_INET6)
+        {
+          zlog_err ("fec_register: Received unknown family type %d\n",
+                    p.family);
+          return -1;
+        }
       p.prefixlen = stream_getc(s);
       l += 5;
       stream_get(&p.u.prefix, s, PSIZE(p.prefixlen));
@@ -984,11 +1004,29 @@ zserv_fec_unregister (struct zserv *client, int sock, u_short length)
   if (!zvrf)
     return 0;  // unexpected
 
+  /*
+   * The minimum amount of data that can be sent for one
+   * fec unregistration
+   */
+  if (length < ZEBRA_MIN_FEC_LENGTH)
+    {
+      zlog_err ("fec_unregister: Received a fec unregister of length %d, it is of insufficient size to properly decode",
+                length);
+      return -1;
+    }
+
   while (l < length)
     {
       //flags = stream_getw(s);
       (void)stream_getw(s);
       p.family = stream_getw(s);
+      if (p.family != AF_INET &&
+          p.family != AF_INET6)
+        {
+          zlog_err ("fec_unregister: Received unknown family type %d\n",
+                    p.family);
+          return -1;
+        }
       p.prefixlen = stream_getc(s);
       l += 5;
       stream_get(&p.u.prefix, s, PSIZE(p.prefixlen));