Merge pull request #18472 from zmw12306/Update-TLV

babeld: Add input validation for update TLV.
author: Jafar Al-Gharaibeh <jafar@atcorp.com> 2025-04-10 09:59:13 -0500
committer: GitHub <noreply@github.com> 2025-04-10 09:59:13 -0500
commit: fc3e1ec15f4845ddb7a04bdbca783f0911e111a1 (patch)
tree: 0e76862cab925cc0cb280c47e049d903bd61b041
parent: 2355683c729074ddf37115dc5494d9bed4a220ea (diff)
parent: c2e69624baae9563fa4342c9ade19f9fec8fb0ce (diff)
1 files changed, 23 insertions, 3 deletions
diff --git a/babeld/message.c b/babeld/message.c
index 2269fbcfed..c8b1318c7a 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -591,6 +591,20 @@ parse_packet(const unsigned char *from, struct interface *ifp,
             int rc, parsed_len;
             bool ignore_update = false;
 
+            // Basic sanity check on length
+            if (len < 10) {
+                if (len < 2 || (message[3] & 0x80)) {
+                    have_v4_prefix = have_v6_prefix = 0;
+                }
+                goto fail;
+            }
+
+            if(!known_ae(message[2])) {
+                debugf(BABEL_DEBUG_COMMON,"Received update with unknown AE %d. Ignoring.",
+                       message[2]);
+                goto done;
+            }
+
             DO_NTOHS(interval, message + 6);
             DO_NTOHS(seqno, message + 8);
             DO_NTOHS(metric, message + 10);
@@ -629,7 +643,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
                 }
                 have_router_id = 1;
             }
-            if(!have_router_id && message[2] != 0) {
+            if(metric < INFINITY && !have_router_id && message[2] != 0) {
                 flog_err(EC_BABEL_PACKET,
 			  "Received prefix with no router id.");
                 goto fail;
@@ -641,9 +655,15 @@ parse_packet(const unsigned char *from, struct interface *ifp,
                    format_address(from), ifp->name);
 
             if(message[2] == 0) {
-                if(metric < 0xFFFF) {
+                if(metric < INFINITY) {
+                    flog_err(EC_BABEL_PACKET,
+			     "Received wildcard update with finite metric.");
+                    goto done;
+                }
+                // Add check for Plen and Omitted
+                if(message[4] != 0 || message[5] != 0) {
                     flog_err(EC_BABEL_PACKET,
-			      "Received wildcard update with finite metric.");
+                             "Received wildcard retraction with non-zero Plen or Omitted.");
                     goto done;
                 }
                 retract_neighbour_routes(neigh);
author	Jafar Al-Gharaibeh <jafar@atcorp.com>	2025-04-10 09:59:13 -0500
committer	GitHub <noreply@github.com>	2025-04-10 09:59:13 -0500
commit	fc3e1ec15f4845ddb7a04bdbca783f0911e111a1 (patch)
tree	0e76862cab925cc0cb280c47e049d903bd61b041
parent	2355683c729074ddf37115dc5494d9bed4a220ea (diff)
parent	c2e69624baae9563fa4342c9ade19f9fec8fb0ce (diff)