From 3d21e3ebf17c1046839d4c26966c3c7547dc2091 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Sun, 26 May 2024 18:45:01 +0300 Subject: [PATCH] bgpd: Add a safety check for ecommunity_ecom2str Just in case we have enough data according to the community unit size. It should be 8 or 20 (for now). Signed-off-by: Donatas Abraitis --- bgpd/bgp_ecommunity.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 253538557c..88f139cafd 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -1153,6 +1153,18 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter) /* Retrieve value field */ pnt = ecom->val + (i * ecom->unit_size); + uint8_t *data = pnt; + uint8_t *end = data + ecom->unit_size; + size_t len = end - data; + + /* Sanity check for extended communities lenght, to avoid + * overrun when dealing with bits, e.g. ptr_get_be64(). + */ + if (len < ecom->unit_size) { + unk_ecom = true; + goto unknown; + } + /* High-order octet is the type */ type = *pnt++; @@ -1420,6 +1432,7 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter) unk_ecom = true; } +unknown: if (unk_ecom) snprintf(encbuf, sizeof(encbuf), "UNK:%d, %d", type, sub_type); -- 2.39.5