diff options
| author | Donatas Abraitis <donatas@opensourcerouting.org> | 2024-06-12 22:54:45 +0300 |
|---|---|---|
| committer | Donatas Abraitis <donatas@opensourcerouting.org> | 2024-06-12 22:54:45 +0300 |
| commit | 5d7af51c4f7980507135babd94d392ca179c1bf7 (patch) | |
| tree | 0ceb48d9654378f7ed58bd17c79d972b36343438 /ospfclient/ospfclient.py | |
| parent | d5b0c76eddc8c30b8306ed7f53f6c8d94f4b0c37 (diff) | |
bgpd: Check if we have really enough data before doing memcpy for software version
If we receive CAPABILITY message (software-version), we SHOULD check if we really
have enough data before doing memcpy(), that could also lead to buffer overflow.
(data + len > end) is not enough, because after this check we do data++ and later
memcpy(..., data, len). That means we have one more byte.
Hit this through fuzzing by
```
0 0xaaaaaadf872c in __asan_memcpy (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x35872c) (BuildId: 9c6e455d0d9a20f5a4d2f035b443f50add9564d7)
1 0xaaaaab06bfbc in bgp_dynamic_capability_software_version /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3713:3
2 0xaaaaab05ccb4 in bgp_capability_msg_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3839:4
3 0xaaaaab05c074 in bgp_capability_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3980:9
4 0xaaaaab05e48c in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4109:11
5 0xaaaaaae36150 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```
Hit this again by Iggy \m/
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Diffstat (limited to 'ospfclient/ospfclient.py')
0 files changed, 0 insertions, 0 deletions