diff options
| author | Donatas Abraitis <donatas@opensourcerouting.org> | 2024-05-24 08:58:30 +0200 |
|---|---|---|
| committer | Donatas Abraitis <donatas@opensourcerouting.org> | 2024-05-24 09:38:49 +0200 |
| commit | 0d079e01e55c35f466dc4982d9c2964f81a70140 (patch) | |
| tree | d53b0b1c60507f9e3ed1688adb3c7a53e74f3ecc /bgpd | |
| parent | bgpd: Send a notification if we receive CAPABILITY message if not exepected (diff) | |
| download | frr-0d079e01e55c35f466dc4982d9c2964f81a70140.tar.xz frr-0d079e01e55c35f466dc4982d9c2964f81a70140.zip | |
bgpd: Check if FQDN capability length is in valid ranges
If FQDN capability comes as dynamic capability we should check if the encoding
is proper.
Before this patch we returned an error if the hostname/domainname length check
was > end. But technically, if the length is also == end, this is
a malformed capability, because we use the data incorrectly after we check the
length.
This causes heap overflow (when compiled with address-sanitizer).
Signed-off-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Diffstat (limited to 'bgpd')
| -rw-r--r-- | bgpd/bgp_packet.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index a32ee7886..86f85dd86 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -3433,7 +3433,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action, if (action == CAPABILITY_ACTION_SET) { /* hostname */ - if (data + 1 > end) { + if (data + 1 >= end) { zlog_err("%pBP: Received invalid FQDN capability (host name length)", peer); return; @@ -3463,7 +3463,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action, peer->hostname = XSTRDUP(MTYPE_BGP_PEER_HOST, str); } - if (data + 1 > end) { + if (data + 1 >= end) { zlog_err("%pBP: Received invalid FQDN capability (domain name length)", peer); return; |