bgpd: fix insecure data write with area addresses

Fix an issue where an attacker may inject a tainted length value to corrupt the memory. > CID 1568380 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR) > 9. tainted_data: Passing tainted expression length to bgp_linkstate_nlri_value_display, which uses it as an offset Fixes: 8b531b1 ("bgpd: store and send bgp link-state attributes") Signed-off-by: Louis Scalbert <[email protected]>
FRRouting · Sep 28, 2023 · 8464f45 · 8464f45
1 parent b4a24b5
commit 8464f45
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
@@ -1528,6 +1528,11 @@ static void bgp_linkstate_tlv_isis_area_indentifier_display(struct vty *vty,
 {
 	struct iso_address addr;
 
+	if (length > sizeof(addr.area_addr)) {
+		bgp_linkstate_tlv_hexa_display(vty, pnt, length, json);
+		return;
+	}
+
 	addr.addr_len = length;
 	memcpy(addr.area_addr, pnt, length);