Merge pull request #5335 from opensourcerouting/ldpd-buffer-overflow

ldpd: add missing sanity check in the parsing of label messages
author: Sri Mohana Singamsetty <srimohans@gmail.com> 2019-11-15 15:37:33 -0800
committer: GitHub <noreply@github.com> 2019-11-15 15:37:33 -0800
commit: c3ccfcfaaab479ba2ead5fb2a602f41d030c146e (patch)
tree: 811c5662315cba419388098118f526a9efa0de8b /ldpd/labelmapping.c
parent: 1e5fe0e258a7c029eb2c9aa8b8f19a28196830da (diff)
parent: f2e8b73572bb4b10adeeec5de8e9773f55749140 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c
index 5e1b422a41..a656626356 100644
--- a/ldpd/labelmapping.c
+++ b/ldpd/labelmapping.c
@@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf,
 		/* Prefix Length */
 		map->fec.prefix.prefixlen = buf[off];
 		off += sizeof(uint8_t);
+		if ((map->fec.prefix.af == AF_IPV4
+		     && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN)
+		    || (map->fec.prefix.af == AF_IPV6
+			&& map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) {
+			session_shutdown(nbr, S_BAD_TLV_VAL, msg->id,
+			    msg->type);
+			return (-1);
+		}
 		if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) {
 			session_shutdown(nbr, S_BAD_TLV_LEN, msg->id,
 			    msg->type);
author	Sri Mohana Singamsetty <srimohans@gmail.com>	2019-11-15 15:37:33 -0800
committer	GitHub <noreply@github.com>	2019-11-15 15:37:33 -0800
commit	c3ccfcfaaab479ba2ead5fb2a602f41d030c146e (patch)
tree	811c5662315cba419388098118f526a9efa0de8b /ldpd/labelmapping.c
parent	1e5fe0e258a7c029eb2c9aa8b8f19a28196830da (diff)
parent	f2e8b73572bb4b10adeeec5de8e9773f55749140 (diff)