bgpd: Add a safety check for ecommunity_ecom2str

Just in case we have enough data according to the community unit size. It should be 8 or 20 (for now). Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
author: Donatas Abraitis <donatas@opensourcerouting.org> 2024-05-26 18:45:01 +0300
committer: Donatas Abraitis <donatas@opensourcerouting.org> 2024-05-26 18:45:01 +0300
commit: 3d21e3ebf17c1046839d4c26966c3c7547dc2091 (patch)
tree: eee7c1f12d53795e987e9bd8d771564cc300a382
parent: 496ede2495b7131c102b379bd9bbb71bc7514edd (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c
index 253538557c..88f139cafd 100644
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@@ -1153,6 +1153,18 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter)
 		/* Retrieve value field */
 		pnt = ecom->val + (i * ecom->unit_size);
 
+		uint8_t *data = pnt;
+		uint8_t *end = data + ecom->unit_size;
+		size_t len = end - data;
+
+		/* Sanity check for extended communities lenght, to avoid
+		 * overrun when dealing with bits, e.g. ptr_get_be64().
+		 */
+		if (len < ecom->unit_size) {
+			unk_ecom = true;
+			goto unknown;
+		}
+
 		/* High-order octet is the type */
 		type = *pnt++;
 
@@ -1420,6 +1432,7 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter)
 			unk_ecom = true;
 		}
 
+unknown:
 		if (unk_ecom)
 			snprintf(encbuf, sizeof(encbuf), "UNK:%d, %d", type,
 				 sub_type);
author	Donatas Abraitis <donatas@opensourcerouting.org>	2024-05-26 18:45:01 +0300
committer	Donatas Abraitis <donatas@opensourcerouting.org>	2024-05-26 18:45:01 +0300
commit	3d21e3ebf17c1046839d4c26966c3c7547dc2091 (patch)
tree	eee7c1f12d53795e987e9bd8d771564cc300a382
parent	496ede2495b7131c102b379bd9bbb71bc7514edd (diff)