From: Renato Westphal <renato@opensourcerouting.org>
Date: Thu, 14 Nov 2019 00:51:06 +0000 (-0300)
Subject: ldpd: add missing sanity check in the parsing of label messages
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=80ecb9cac90697215362541e2a83d8073df74857;p=matthieu%2Ffrr.git

ldpd: add missing sanity check in the parsing of label messages

Validate that the FEC prefix length is within the allowed limit
(depending on the FEC address family) in order to prevent possible
buffer overflows.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
---

diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c
index 5e1b422a41..a656626356 100644
--- a/ldpd/labelmapping.c
+++ b/ldpd/labelmapping.c
@@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf,
 		/* Prefix Length */
 		map->fec.prefix.prefixlen = buf[off];
 		off += sizeof(uint8_t);
+		if ((map->fec.prefix.af == AF_IPV4
+		     && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN)
+		    || (map->fec.prefix.af == AF_IPV6
+			&& map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) {
+			session_shutdown(nbr, S_BAD_TLV_VAL, msg->id,
+			    msg->type);
+			return (-1);
+		}
 		if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) {
 			session_shutdown(nbr, S_BAD_TLV_LEN, msg->id,
 			    msg->type);