summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--bgpd/bgp_filter.c6
-rw-r--r--ospfclient/ospf_apiclient.c18
-rw-r--r--ospfd/ospf_gr_helper.c87
3 files changed, 100 insertions, 11 deletions
diff --git a/bgpd/bgp_filter.c b/bgpd/bgp_filter.c
index 0308a30d54..3162579688 100644
--- a/bgpd/bgp_filter.c
+++ b/bgpd/bgp_filter.c
@@ -507,14 +507,16 @@ DEFUN(no_as_path, no_bgp_as_path_cmd,
/* Lookup asfilter. */
asfilter = as_filter_lookup(aslist, regstr, type);
- XFREE(MTYPE_TMP, regstr);
bgp_regex_free(regex);
if (asfilter == NULL) {
- vty_out(vty, "\n");
+ vty_out(vty, "Regex entered %s does not exist\n", regstr);
+ XFREE(MTYPE_TMP, regstr);
return CMD_WARNING_CONFIG_FAILED;
}
+ XFREE(MTYPE_TMP, regstr);
+
as_list_filter_delete(aslist, asfilter);
return CMD_SUCCESS;
diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c
index fb8ad3e60a..d4f0dc953c 100644
--- a/ospfclient/ospf_apiclient.c
+++ b/ospfclient/ospf_apiclient.c
@@ -565,6 +565,7 @@ static void ospf_apiclient_handle_lsa_update(struct ospf_apiclient *oclient,
{
struct msg_lsa_change_notify *cn;
struct lsa_header *lsa;
+ void *p;
uint16_t lsalen;
cn = (struct msg_lsa_change_notify *)STREAM_DATA(msg->s);
@@ -578,9 +579,11 @@ static void ospf_apiclient_handle_lsa_update(struct ospf_apiclient *oclient,
__func__, lsalen, OSPF_MAX_LSA_SIZE);
return;
}
- lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
- memcpy(lsa, &(cn->data), lsalen);
+ p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
+
+ memcpy(p, &(cn->data), lsalen);
+ lsa = p;
/* Invoke registered update callback function */
if (oclient->update_notify) {
@@ -589,7 +592,7 @@ static void ospf_apiclient_handle_lsa_update(struct ospf_apiclient *oclient,
}
/* free memory allocated by ospf apiclient library */
- XFREE(MTYPE_OSPF_APICLIENT, lsa);
+ XFREE(MTYPE_OSPF_APICLIENT, p);
}
static void ospf_apiclient_handle_lsa_delete(struct ospf_apiclient *oclient,
@@ -597,6 +600,7 @@ static void ospf_apiclient_handle_lsa_delete(struct ospf_apiclient *oclient,
{
struct msg_lsa_change_notify *cn;
struct lsa_header *lsa;
+ void *p;
uint16_t lsalen;
cn = (struct msg_lsa_change_notify *)STREAM_DATA(msg->s);
@@ -610,9 +614,11 @@ static void ospf_apiclient_handle_lsa_delete(struct ospf_apiclient *oclient,
__func__, lsalen, OSPF_MAX_LSA_SIZE);
return;
}
- lsa = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
- memcpy(lsa, &(cn->data), lsalen);
+ p = XMALLOC(MTYPE_OSPF_APICLIENT, lsalen);
+
+ memcpy(p, &(cn->data), lsalen);
+ lsa = p;
/* Invoke registered update callback function */
if (oclient->delete_notify) {
@@ -621,7 +627,7 @@ static void ospf_apiclient_handle_lsa_delete(struct ospf_apiclient *oclient,
}
/* free memory allocated by ospf apiclient library */
- XFREE(MTYPE_OSPF_APICLIENT, lsa);
+ XFREE(MTYPE_OSPF_APICLIENT, p);
}
static void ospf_apiclient_msghandle(struct ospf_apiclient *oclient,
diff --git a/ospfd/ospf_gr_helper.c b/ospfd/ospf_gr_helper.c
index 391c802404..616013fb9e 100644
--- a/ospfd/ospf_gr_helper.c
+++ b/ospfd/ospf_gr_helper.c
@@ -233,12 +233,38 @@ static int ospf_extract_grace_lsa_fields(struct ospf_lsa *lsa,
lsah = (struct lsa_header *)lsa->data;
- length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
+ length = ntohs(lsah->length);
+
+ /* Check LSA len */
+ if (length <= OSPF_LSA_HEADER_SIZE) {
+ if (IS_DEBUG_OSPF_GR_HELPER)
+ zlog_debug("%s: Malformed packet: Invalid LSA len:%d",
+ __func__, length);
+ return OSPF_GR_FAILURE;
+ }
+
+ length -= OSPF_LSA_HEADER_SIZE;
for (tlvh = TLV_HDR_TOP(lsah); sum < length;
tlvh = TLV_HDR_NEXT(tlvh)) {
+
+ /* Check TLV len against overall LSA */
+ if (sum + TLV_SIZE(tlvh) > length) {
+ if (IS_DEBUG_OSPF_GR_HELPER)
+ zlog_debug("%s: Malformed packet: Invalid TLV len:%zu",
+ __func__, TLV_SIZE(tlvh));
+ return OSPF_GR_FAILURE;
+ }
+
switch (ntohs(tlvh->type)) {
case GRACE_PERIOD_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_graceperiod)) {
+ zlog_debug("%s: Malformed packet: Invalid grace TLV len:%zu",
+ __func__, TLV_SIZE(tlvh));
+ return OSPF_GR_FAILURE;
+ }
+
grace_period = (struct grace_tlv_graceperiod *)tlvh;
*interval = ntohl(grace_period->interval);
sum += TLV_SIZE(tlvh);
@@ -249,6 +275,13 @@ static int ospf_extract_grace_lsa_fields(struct ospf_lsa *lsa,
return OSPF_GR_FAILURE;
break;
case RESTART_REASON_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_restart_reason)) {
+ zlog_debug("%s: Malformed packet: Invalid reason TLV len:%zu",
+ __func__, TLV_SIZE(tlvh));
+ return OSPF_GR_FAILURE;
+ }
+
gr_reason = (struct grace_tlv_restart_reason *)tlvh;
*reason = gr_reason->reason;
sum += TLV_SIZE(tlvh);
@@ -257,6 +290,13 @@ static int ospf_extract_grace_lsa_fields(struct ospf_lsa *lsa,
return OSPF_GR_FAILURE;
break;
case RESTARTER_IP_ADDR_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_restart_addr)) {
+ zlog_debug("%s: Malformed packet: Invalid addr TLV len:%zu",
+ __func__, TLV_SIZE(tlvh));
+ return OSPF_GR_FAILURE;
+ }
+
restart_addr = (struct grace_tlv_restart_addr *)tlvh;
addr->s_addr = restart_addr->addr.s_addr;
sum += TLV_SIZE(tlvh);
@@ -558,7 +598,7 @@ void ospf_helper_handle_topo_chg(struct ospf *ospf, struct ospf_lsa *lsa)
if (!ospf->active_restarter_cnt)
return;
- /* Topo change not required to be hanlded if strict
+ /* Topo change not required to be handled if strict
* LSA check is disbaled for this router.
*/
if (!ospf->strict_lsa_check)
@@ -963,14 +1003,36 @@ static void show_ospf_grace_lsa_info(struct vty *vty, struct ospf_lsa *lsa)
lsah = (struct lsa_header *)lsa->data;
- length = ntohs(lsah->length) - OSPF_LSA_HEADER_SIZE;
+ length = ntohs(lsah->length);
+
+ if (length <= OSPF_LSA_HEADER_SIZE) {
+ vty_out(vty, "%% Invalid LSA length: %d\n", length);
+ return;
+ }
+
+ length -= OSPF_LSA_HEADER_SIZE;
vty_out(vty, " TLV info:\n");
for (tlvh = TLV_HDR_TOP(lsah); sum < length;
tlvh = TLV_HDR_NEXT(tlvh)) {
+ /* Check TLV len */
+ if (sum + TLV_SIZE(tlvh) > length) {
+ vty_out(vty, "%% Invalid TLV length: %zu\n",
+ TLV_SIZE(tlvh));
+ return;
+ }
+
switch (ntohs(tlvh->type)) {
case GRACE_PERIOD_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_graceperiod)) {
+ vty_out(vty,
+ "%% Invalid grace TLV length %zu\n",
+ TLV_SIZE(tlvh));
+ return;
+ }
+
gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
sum += TLV_SIZE(tlvh);
@@ -978,6 +1040,14 @@ static void show_ospf_grace_lsa_info(struct vty *vty, struct ospf_lsa *lsa)
ntohl(gracePeriod->interval));
break;
case RESTART_REASON_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_restart_reason)) {
+ vty_out(vty,
+ "%% Invalid reason TLV length %zu\n",
+ TLV_SIZE(tlvh));
+ return;
+ }
+
grReason = (struct grace_tlv_restart_reason *)tlvh;
sum += TLV_SIZE(tlvh);
@@ -985,6 +1055,14 @@ static void show_ospf_grace_lsa_info(struct vty *vty, struct ospf_lsa *lsa)
ospf_restart_reason2str(grReason->reason));
break;
case RESTARTER_IP_ADDR_TYPE:
+ if (TLV_SIZE(tlvh) <
+ sizeof(struct grace_tlv_restart_addr)) {
+ vty_out(vty,
+ "%% Invalid addr TLV length %zu\n",
+ TLV_SIZE(tlvh));
+ return;
+ }
+
restartAddr = (struct grace_tlv_restart_addr *)tlvh;
sum += TLV_SIZE(tlvh);
@@ -992,6 +1070,9 @@ static void show_ospf_grace_lsa_info(struct vty *vty, struct ospf_lsa *lsa)
inet_ntoa(restartAddr->addr));
break;
default:
+ vty_out(vty, " Unknown TLV type %d\n",
+ ntohs(tlvh->type));
+
break;
}
}