From: Donald Sharp Date: Fri, 2 Dec 2022 16:15:54 +0000 (-0500) Subject: bgpd: Fix 2 read beyond end of streams in bgp srv6 packet processing X-Git-Tag: base_8.5~185^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=bc32d9504fac4c21e7bc750399cdd3fa1d693531;p=matthieu%2Ffrr.git bgpd: Fix 2 read beyond end of streams in bgp srv6 packet processing It's possible to send less data then the length you say you are. Reported-by: Iggy Frankovic Signed-off-by: Donald Sharp --- diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 1f8c7dc098..ace7e79753 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2702,6 +2702,18 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args) } if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) { + if (STREAM_READABLE(peer->curr) < + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) { + flog_err( + EC_BGP_ATTR_LEN, + "Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %u, have %zu remaining in UPDATE)", + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH, + STREAM_READABLE(peer->curr)); + return bgp_attr_malformed( + args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, + args->total); + } + loc_block_len = stream_getc(peer->curr); loc_node_len = stream_getc(peer->curr); func_len = stream_getc(peer->curr); @@ -2774,6 +2786,17 @@ bgp_attr_srv6_service(struct bgp_attr_parser_args *args) } if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO) { + if (STREAM_READABLE(peer->curr) < + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH) { + flog_err( + EC_BGP_ATTR_LEN, + "Malformed SRv6 Service Sub-TLV attribute - insufficent data (need %d for attribute data, have %zu remaining in UPDATE)", + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH, + STREAM_READABLE(peer->curr)); + return bgp_attr_malformed( + args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, + args->total); + } stream_getc(peer->curr); stream_get(&ipv6_sid, peer->curr, sizeof(ipv6_sid)); sid_flags = stream_getc(peer->curr);