diff options
| author | Louis Scalbert <louis.scalbert@6wind.com> | 2023-09-28 16:55:43 +0200 |
|---|---|---|
| committer | Louis Scalbert <louis.scalbert@6wind.com> | 2023-09-28 17:51:26 +0200 |
| commit | 57d0dc565f6a99c3d61b9b67a40ad88a83773eb6 (patch) | |
| tree | e10c0b98ace70fa6b7d3bcfd74f9755ca4786f65 | |
| parent | 54222f921305edbce74e81996e9303c0c6b03823 (diff) | |
bgpd: fix insecure data write with area addresses
Fix an issue where an attacker may inject a tainted length value to
corrupt the memory.
> CID 1568380 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
> 9. tainted_data: Passing tainted expression length to bgp_linkstate_nlri_value_display, which uses it as an offset
Fixes: 8b531b1107 ("bgpd: store and send bgp link-state attributes") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
| -rw-r--r-- | bgpd/bgp_linkstate_tlv.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c index 1594d8fd95..f2bd36524d 100644 --- a/bgpd/bgp_linkstate_tlv.c +++ b/bgpd/bgp_linkstate_tlv.c @@ -1528,6 +1528,11 @@ static void bgp_linkstate_tlv_isis_area_indentifier_display(struct vty *vty, { struct iso_address addr; + if (length > sizeof(addr.area_addr)) { + bgp_linkstate_tlv_hexa_display(vty, pnt, length, json); + return; + } + addr.addr_len = length; memcpy(addr.area_addr, pnt, length); |