diff options
| author | Renato Westphal <renato@opensourcerouting.org> | 2019-11-14 01:51:06 +0100 |
|---|---|---|
| committer | Renato Westphal <renato@opensourcerouting.org> | 2019-11-14 01:51:06 +0100 |
| commit | f2e8b73572bb4b10adeeec5de8e9773f55749140 (patch) | |
| tree | 8179b0893478ff6cc7bf5b32ad9f4a0f4e6f5981 /ldpd | |
| parent | Merge pull request #5321 from sworleys/Zebra-Dplane-Thread-Cancel-Async (diff) | |
| download | frr-f2e8b73572bb4b10adeeec5de8e9773f55749140.tar.xz frr-f2e8b73572bb4b10adeeec5de8e9773f55749140.zip | |
ldpd: add missing sanity check in the parsing of label messages
Validate that the FEC prefix length is within the allowed limit
(depending on the FEC address family) in order to prevent possible
buffer overflows.
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Diffstat (limited to 'ldpd')
| -rw-r--r-- | ldpd/labelmapping.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c index 5e1b422a4..a65662635 100644 --- a/ldpd/labelmapping.c +++ b/ldpd/labelmapping.c @@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf, /* Prefix Length */ map->fec.prefix.prefixlen = buf[off]; off += sizeof(uint8_t); + if ((map->fec.prefix.af == AF_IPV4 + && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN) + || (map->fec.prefix.af == AF_IPV6 + && map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) { + session_shutdown(nbr, S_BAD_TLV_VAL, msg->id, + msg->type); + return (-1); + } if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) { session_shutdown(nbr, S_BAD_TLV_LEN, msg->id, msg->type); |