git.puffer.fish Git - mirror/frr.git/commit

bgpd: Make sure we have enough data to read two bytes when validating AIGP

Found when fuzzing:

```
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
    3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
```

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

author	Donatas Abraitis <donatas@opensourcerouting.org>
	Fri, 18 Aug 2023 08:28:03 +0000 (11:28 +0300)
committer	Donatas Abraitis <donatas@opensourcerouting.org>
	Sun, 20 Aug 2023 18:26:00 +0000 (21:26 +0300)
commit	f96201e104892e18493f24cf67bb713678e8237b
tree	766e4bbb188922ea8a8aaebda94e7f78a2151605	tree \| snapshot
parent	1b52af80fd00e8abe3aa11fa6ccbca4f4a359353	commit \| diff