diff options
| author | Louis Scalbert <louis.scalbert@6wind.com> | 2023-09-28 15:27:27 +0200 |
|---|---|---|
| committer | Louis Scalbert <louis.scalbert@6wind.com> | 2023-09-28 15:27:27 +0200 |
| commit | dae5791c446cd18d8cda93a1e578fff2cd27be10 (patch) | |
| tree | 3243e2c96194b347665d648d87fe23202bc99b57 /bgpd | |
| parent | eb9e2865116777661c44963769c1a5fed764b7f9 (diff) | |
bgpd: fix illegal memory access in bgp_ls_tlv_check_size()
Fix illegal memory access bgp_ls_tlv_check_size() if type is 1253.
> CID 1568377 (#4 of 4): Out-of-bounds read (OVERRUN)
> 5. overrun-local: Overrunning array bgp_linkstate_tlv_infos of 1253 16-byte elements at element index 1253 (byte offset 20063) using index type (which evaluates to 1253).
Fixes: 7e0d9ff8ba ("bgpd: display link-state prefixes detail")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Diffstat (limited to 'bgpd')
| -rw-r--r-- | bgpd/bgp_linkstate_tlv.c | 8 | ||||
| -rw-r--r-- | bgpd/bgp_linkstate_tlv.h | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c index 5538f7a761..6b7d8d2f3e 100644 --- a/bgpd/bgp_linkstate_tlv.c +++ b/bgpd/bgp_linkstate_tlv.c @@ -31,7 +31,7 @@ struct bgp_linkstate_tlv_info { #define UNDEF_MULTPL 1 /* clang-format off */ -struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX] = { +struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX + 1] = { /* NLRI TLV */ [BGP_LS_TLV_LOCAL_NODE_DESCRIPTORS] = {"Local Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL}, [BGP_LS_TLV_REMOTE_NODE_DESCRIPTORS] = {"Remote Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL}, @@ -1706,7 +1706,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty, json_tlv = json_object_new_object(); json_object_object_add(json, tlv_type, json_tlv); - if (type < BGP_LS_TLV_MAX && + if (type <= BGP_LS_TLV_MAX && bgp_linkstate_tlv_infos[type].descr != NULL) json_object_string_add( json_tlv, "description", @@ -1721,7 +1721,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty, "too high length received: %u", length); break; } - if (type < BGP_LS_TLV_MAX && + if (type <= BGP_LS_TLV_MAX && bgp_linkstate_tlv_infos[type].descr != NULL && !bgp_ls_tlv_check_size(type, length)) json_object_string_addf( @@ -1729,7 +1729,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty, "unexpected length received: %u", length); } else { - if (type < BGP_LS_TLV_MAX && + if (type <= BGP_LS_TLV_MAX && bgp_linkstate_tlv_infos[type].descr != NULL) vty_out(vty, "%*s%s: ", indent, "", bgp_linkstate_tlv_infos[type].descr); diff --git a/bgpd/bgp_linkstate_tlv.h b/bgpd/bgp_linkstate_tlv.h index ad3b2570d6..cc543735b7 100644 --- a/bgpd/bgp_linkstate_tlv.h +++ b/bgpd/bgp_linkstate_tlv.h @@ -197,7 +197,7 @@ enum bgp_linkstate_tlv { 1251, /* draft-ietf-idr-bgpls-srv6-ext-08 */ BGP_LS_TLV_SRV6_SID_STRUCTURE_TLV = 1252, /* draft-ietf-idr-bgpls-srv6-ext-08 */ - BGP_LS_TLV_MAX = 1253, /* max TLV value for table size*/ + BGP_LS_TLV_MAX = 1252, /* max TLV value for table size*/ }; /* RFC7752 #3.2.1.4 IGP router-ID */ |