From: Louis Scalbert <louis.scalbert@6wind.com>
Date: Thu, 28 Sep 2023 13:27:27 +0000 (+0200)
Subject: bgpd: fix illegal memory access in bgp_ls_tlv_check_size()
X-Git-Tag: base_9.1~22^2~4
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=dae5791c446cd18d8cda93a1e578fff2cd27be10;p=matthieu%2Ffrr.git

bgpd: fix illegal memory access in bgp_ls_tlv_check_size()

Fix illegal memory access bgp_ls_tlv_check_size() if type is 1253.

> CID 1568377 (#4 of 4): Out-of-bounds read (OVERRUN)
> 5. overrun-local: Overrunning array bgp_linkstate_tlv_infos of 1253 16-byte elements at element index 1253 (byte offset 20063) using index type (which evaluates to 1253).

Fixes: 7e0d9ff8ba ("bgpd: display link-state prefixes detail")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
---

diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
index 5538f7a761..6b7d8d2f3e 100644
--- a/bgpd/bgp_linkstate_tlv.c
+++ b/bgpd/bgp_linkstate_tlv.c
@@ -31,7 +31,7 @@ struct bgp_linkstate_tlv_info {
 #define UNDEF_MULTPL 1
 
 /* clang-format off */
-struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX] = {
+struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX + 1] = {
 	/* NLRI TLV */
 	[BGP_LS_TLV_LOCAL_NODE_DESCRIPTORS] = {"Local Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
 	[BGP_LS_TLV_REMOTE_NODE_DESCRIPTORS] = {"Remote Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
@@ -1706,7 +1706,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
 			json_tlv = json_object_new_object();
 			json_object_object_add(json, tlv_type, json_tlv);
 
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL)
 				json_object_string_add(
 					json_tlv, "description",
@@ -1721,7 +1721,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
 					"too high length received: %u", length);
 				break;
 			}
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL &&
 			    !bgp_ls_tlv_check_size(type, length))
 				json_object_string_addf(
@@ -1729,7 +1729,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
 					"unexpected length received: %u",
 					length);
 		} else {
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL)
 				vty_out(vty, "%*s%s: ", indent, "",
 					bgp_linkstate_tlv_infos[type].descr);
diff --git a/bgpd/bgp_linkstate_tlv.h b/bgpd/bgp_linkstate_tlv.h
index ad3b2570d6..cc543735b7 100644
--- a/bgpd/bgp_linkstate_tlv.h
+++ b/bgpd/bgp_linkstate_tlv.h
@@ -197,7 +197,7 @@ enum bgp_linkstate_tlv {
 		1251, /* draft-ietf-idr-bgpls-srv6-ext-08 */
 	BGP_LS_TLV_SRV6_SID_STRUCTURE_TLV =
 		1252,	       /* draft-ietf-idr-bgpls-srv6-ext-08 */
-	BGP_LS_TLV_MAX = 1253, /* max TLV value for table size*/
+	BGP_LS_TLV_MAX = 1252, /* max TLV value for table size*/
 };
 
 /* RFC7752 #3.2.1.4 IGP router-ID */