diff options
| author | Sri Mohana Singamsetty <srimohans@gmail.com> | 2019-11-15 15:38:14 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-15 15:38:14 -0800 |
| commit | 48ff241f1f80b9aa27f7fb0d0b9eeaeaeebcc96b (patch) | |
| tree | b8ab154233cde50847578ab7800fd38ba709cf9d | |
| parent | 8fed6c2d2afbb22c764e85882d229120ebdc2abb (diff) | |
| parent | 80ecb9cac90697215362541e2a83d8073df74857 (diff) | |
Merge pull request #5338 from opensourcerouting/ldpd-buffer-overflow-7.0
[7.0] ldpd: add missing sanity check in the parsing of label messages
| -rw-r--r-- | ldpd/labelmapping.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c index 5e1b422a41..a656626356 100644 --- a/ldpd/labelmapping.c +++ b/ldpd/labelmapping.c @@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf, /* Prefix Length */ map->fec.prefix.prefixlen = buf[off]; off += sizeof(uint8_t); + if ((map->fec.prefix.af == AF_IPV4 + && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN) + || (map->fec.prefix.af == AF_IPV6 + && map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) { + session_shutdown(nbr, S_BAD_TLV_VAL, msg->id, + msg->type); + return (-1); + } if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) { session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, msg->type); |