bgpd: fix insecure data write with ip addresses

Fix issues where an attacker may inject a tainted length value to corrupt the memory. > CID 1568378 (#1-6 of 6): Untrusted value as argument (TAINTED_SCALAR) > 16. tainted_data: Passing tainted expression length to bgp_linkstate_tlv_attribute_value_display, which uses it as an offset. [show details] Fixes: 7e0d9ff ("bgpd: display link-state prefixes detail") Signed-off-by: Louis Scalbert <[email protected]>
FRRouting · Sep 28, 2023 · b4a24b5 · b4a24b5
1 parent 25408c8
commit b4a24b5
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
@@ -577,7 +577,8 @@ static bool bgp_linkstate_nlri_value_display(char *buf, size_t size,
 		break;
 	case BGP_LS_TLV_IP_REACHABILITY_INFORMATION:
 		mask_length = pnt_decode8(&pnt);
-		if (nlri_type == BGP_LINKSTATE_PREFIX4) {
+		if (nlri_type == BGP_LINKSTATE_PREFIX4 &&
+				((length - sizeof(mask_length)) <= sizeof(ipv4.s_addr))) {
 			memcpy(&ipv4.s_addr, pnt, length - sizeof(mask_length));
 			if (json)
 				json_object_string_addf(json, "ipReachability",
@@ -587,7 +588,8 @@ static bool bgp_linkstate_nlri_value_display(char *buf, size_t size,
 				snprintfrr(buf, size, "%sIPv4:%pI4/%u",
 					   first ? "" : " ", &ipv4,
 					   mask_length);
-		} else if (nlri_type == BGP_LINKSTATE_PREFIX6) {
+		} else if (nlri_type == BGP_LINKSTATE_PREFIX6 &&
+				((length - sizeof(mask_length)) <= sizeof(ipv6))) {
 			memcpy(&ipv6, pnt, length - sizeof(mask_length));
 			if (json)
 				json_object_string_addf(json, "ipReachability",