diff options
| author | Donald Sharp <sharpd@nvidia.com> | 2021-03-19 09:27:51 -0400 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2021-03-25 09:11:28 -0400 |
| commit | 7ce31babfcfc036e0f616745906a1935ae41c0fd (patch) | |
| tree | 07cb8dfdb805f996951f6e28c7d1a4d6baa1c49d /lib/lib_errors.c | |
| parent | 0621b32e25df0f38dbb68e77f3002294db3b33da (diff) | |
isisd: Prevent OOM crash in isis
When you set the isis mtu to 200, isis ends up in a infinite loop
trying to fragment the tlv's.
Specifically ( for me ) the extended reachability function
for packing pack_item_extended_reach requires 11 + ISIS_SUBTLV_MAX_SIZE
room in the packet. Which is 180 bytes. At this point we have
174 bytes that we can write into a packet.
I created this by modifying the isis-topo1 topology to all
the isis routers to have a lsp-mtu of 200 and immediately
saw the crash.
Effectively the pack_items_ function had no detection for
when a part of the next bit it was writing into the stream
could not even fit and it would go into an infinite loop
allocating ~800 bytes at a time. This would cause the
router to run out of memory very very fast and the OOM
detector would kill the process.
Modify the code to notice that we have insufficient space to
even write any data into the stream.
I suspect that pack_item_extended_reach could also be optimized
to figure out exactly how much space is needed. But I also
think we need this protection in the function if this ever
happens again.
I also do not understand the use case of saying the min mtu is
200.
Fixes: #8289
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Diffstat (limited to 'lib/lib_errors.c')
0 files changed, 0 insertions, 0 deletions