diff options
| author | Donatas Abraitis <donatas@opensourcerouting.org> | 2022-12-05 22:46:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-05 22:46:07 +0200 |
| commit | f44032cfc80a682c75f70f1b68dd8b174b3f61dd (patch) | |
| tree | a799af210bcc5441c440eec6376cbfa5016a1973 | |
| parent | 1f98f424432a9e03032109156a26dd7d6f932b3e (diff) | |
| parent | bc32d9504fac4c21e7bc750399cdd3fa1d693531 (diff) | |
Merge pull request #12433 from donaldsharp/more_use_after_use_and_use
bgpd: Fix 2 read beyond end of streams in bgp srv6 packet processing
| -rw-r--r-- | bgpd/bgp_attr.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 1f8c7dc098..ace7e79753 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2702,6 +2702,18 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args) } if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) { + if (STREAM_READABLE(peer->curr) < + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) { + flog_err( + EC_BGP_ATTR_LEN, + "Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %u, have %zu remaining in UPDATE)", + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH, + STREAM_READABLE(peer->curr)); + return bgp_attr_malformed( + args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, + args->total); + } + loc_block_len = stream_getc(peer->curr); loc_node_len = stream_getc(peer->curr); func_len = stream_getc(peer->curr); @@ -2774,6 +2786,17 @@ bgp_attr_srv6_service(struct bgp_attr_parser_args *args) } if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO) { + if (STREAM_READABLE(peer->curr) < + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH) { + flog_err( + EC_BGP_ATTR_LEN, + "Malformed SRv6 Service Sub-TLV attribute - insufficent data (need %d for attribute data, have %zu remaining in UPDATE)", + BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH, + STREAM_READABLE(peer->curr)); + return bgp_attr_malformed( + args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, + args->total); + } stream_getc(peer->curr); stream_get(&ipv6_sid, peer->curr, sizeof(ipv6_sid)); sid_flags = stream_getc(peer->curr); |