From c24ceb896e9b93abd8a3d03ded9a703324c56a11 Mon Sep 17 00:00:00 2001 From: Philippe Guibert Date: Fri, 21 Aug 2020 08:42:20 +0200 Subject: [PATCH] bgpd: fix Dereference of null pointer in flowspec a dereference of null pointer exists in current flowspec code, with prefix pointer. check validity of pointer before going ahead. Signed-off-by: Philippe Guibert --- bgpd/bgp_flowspec_util.c | 10 +++++--- bgpd/bgp_flowspec_vty.c | 55 +++++++++++++++++++--------------------- 2 files changed, 32 insertions(+), 33 deletions(-) diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c index 0115d7af1e..90e9236385 100644 --- a/bgpd/bgp_flowspec_util.c +++ b/bgpd/bgp_flowspec_util.c @@ -228,10 +228,12 @@ int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type, BGP_FLOWSPEC_STRING_DISPLAY_MAX); break; case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE: - if (prefix_local.family == AF_INET) - PREFIX_COPY_IPV4(prefix, &prefix_local) - else - PREFIX_COPY_IPV6(prefix, &prefix_local) + if (prefix) { + if (prefix_local.family == AF_INET) + PREFIX_COPY_IPV4(prefix, &prefix_local) + else + PREFIX_COPY_IPV6(prefix, &prefix_local) + } break; case BGP_FLOWSPEC_VALIDATE_ONLY: default: diff --git a/bgpd/bgp_flowspec_vty.c b/bgpd/bgp_flowspec_vty.c index 92bec6f88a..798bce8219 100644 --- a/bgpd/bgp_flowspec_vty.c +++ b/bgpd/bgp_flowspec_vty.c @@ -274,36 +274,33 @@ void route_vty_out_flowspec(struct vty *vty, const struct prefix *p, dest = path->net; if (dest) bgp_dest_get_bgp_table_info(dest); - /* Print prefix */ - if (p != NULL) { - if (p->family != AF_FLOWSPEC) - return; - if (json_paths) { - if (display == NLRI_STRING_FORMAT_JSON) - json_nlri_path = json_object_new_object(); - else - json_nlri_path = json_paths; - } - if (display == NLRI_STRING_FORMAT_LARGE && path) - vty_out(vty, "BGP flowspec entry: (flags 0x%x)\n", - path->flags); - bgp_fs_nlri_get_string((unsigned char *) - p->u.prefix_flowspec.ptr, - p->u.prefix_flowspec.prefixlen, - return_string, - display, - json_nlri_path, - family2afi(p->u.prefix_flowspec - .family)); - if (display == NLRI_STRING_FORMAT_LARGE) - vty_out(vty, "%s", return_string); - else if (display == NLRI_STRING_FORMAT_DEBUG) - vty_out(vty, "%s", return_string); - else if (display == NLRI_STRING_FORMAT_MIN) - vty_out(vty, " %-30s", return_string); - else if (json_paths && display == NLRI_STRING_FORMAT_JSON) - json_object_array_add(json_paths, json_nlri_path); + if (p == NULL || p->family != AF_FLOWSPEC) + return; + if (json_paths) { + if (display == NLRI_STRING_FORMAT_JSON) + json_nlri_path = json_object_new_object(); + else + json_nlri_path = json_paths; } + if (display == NLRI_STRING_FORMAT_LARGE && path) + vty_out(vty, "BGP flowspec entry: (flags 0x%x)\n", + path->flags); + bgp_fs_nlri_get_string((unsigned char *) + p->u.prefix_flowspec.ptr, + p->u.prefix_flowspec.prefixlen, + return_string, + display, + json_nlri_path, + family2afi(p->u.prefix_flowspec + .family)); + if (display == NLRI_STRING_FORMAT_LARGE) + vty_out(vty, "%s", return_string); + else if (display == NLRI_STRING_FORMAT_DEBUG) + vty_out(vty, "%s", return_string); + else if (display == NLRI_STRING_FORMAT_MIN) + vty_out(vty, " %-30s", return_string); + else if (json_paths && display == NLRI_STRING_FORMAT_JSON) + json_object_array_add(json_paths, json_nlri_path); if (!path) return; if (path->attr && -- 2.39.5