diff options
| author | Sri Mohana Singamsetty <srimohans@gmail.com> | 2019-11-15 15:37:33 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-15 15:37:33 -0800 |
| commit | c3ccfcfaaab479ba2ead5fb2a602f41d030c146e (patch) | |
| tree | 811c5662315cba419388098118f526a9efa0de8b | |
| parent | 1e5fe0e258a7c029eb2c9aa8b8f19a28196830da (diff) | |
| parent | f2e8b73572bb4b10adeeec5de8e9773f55749140 (diff) | |
Merge pull request #5335 from opensourcerouting/ldpd-buffer-overflow
ldpd: add missing sanity check in the parsing of label messages
| -rw-r--r-- | ldpd/labelmapping.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c index 5e1b422a41..a656626356 100644 --- a/ldpd/labelmapping.c +++ b/ldpd/labelmapping.c @@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf, /* Prefix Length */ map->fec.prefix.prefixlen = buf[off]; off += sizeof(uint8_t); + if ((map->fec.prefix.af == AF_IPV4 + && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN) + || (map->fec.prefix.af == AF_IPV6 + && map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) { + session_shutdown(nbr, S_BAD_TLV_VAL, msg->id, + msg->type); + return (-1); + } if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) { session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, msg->type); |