Merge pull request #16786 from FRRouting/mergify/bp/stable/9.0/pr-16718

isisd: fix crash when reading asla (backport #16718)

2 files changed, 12 insertions, 2 deletions

diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 1022399258..91762af444 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -1131,8 +1131,8 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
 	uint8_t sabm_flag_len;
 	/* User-defined App Identifier Bit Flags/Length */
 	uint8_t uabm_flag_len;
-	uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
-	uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0};
+	uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 };
+	uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 };
 	uint8_t readable = subtlv_len;
 	uint8_t subsubtlv_type;
 	uint8_t subsubtlv_len;
@@ -1163,6 +1163,15 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len,
 		return -1;
 	}
 
+	if ((asla->standard_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH) ||
+	    (asla->user_def_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH)) {
+		zlog_err("Standard or User-Defined Application Identifier Bit Mask Length greater than %u bytes. Received respectively a length of %u and %u bytes.",
+			 ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH,
+			 asla->standard_apps_length, asla->user_def_apps_length);
+		stream_forward_getp(s, readable);
+		return -1;
+	}
+
 	for (int i = 0; i < asla->standard_apps_length; i++)
 		sabm[i] = stream_getc(s);
 	for (int i = 0; i < asla->user_def_apps_length; i++)
diff --git a/isisd/isis_tlvs.h b/isisd/isis_tlvs.h
index 03e2b2edcc..e4c2d675dd 100644
--- a/isisd/isis_tlvs.h
+++ b/isisd/isis_tlvs.h
@@ -560,6 +560,7 @@ struct isis_ext_subtlvs {
 #define ISIS_SABM_FLAG_X 0x10 /* Flex-Algorithm - RFC9350 */
 
 #define ASLA_APP_IDENTIFIER_BIT_LENGTH 1
+#define ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH 8
 #define ASLA_LEGACY_FLAG 0x80
 #define ASLA_APPS_LENGTH_MASK 0x7f