pool/frr
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
35f367fe53
frr/0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch

53 lines
1.6 KiB
Diff
Raw Normal View History

Accepting request 958040 from home:mtomaschewski:frr - Apply fix for a buffer overflow in isisd due to the use of strdup with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126) [+ 0006-isisd-fix-10505-using-base64-encoding.patch] - Apply fix for a buffer overflow in isisd due to wrong checks on the input packet length (bsc#1196505,CVE-2022-26125) with workaround for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch] - Apply fix for a buffer overflow in babeld due to wrong checks on the input packet length in the packet_examin and subtlv parsing (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129) [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch] - Apply fix for a heap buffer overflow in babeld due to missing check on the input packet length (bsc#1196503,CVE-2022-26127) [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch] OBS-URL: https://build.opensuse.org/request/show/958040 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=37
2022-02-28 20:21:42 +01:00
From 50044ec7fe129e0a74d3a679dd29fe17ce30e6bf Mon Sep 17 00:00:00 2001
From: whichbug <whichbug@github.com>
Date: Thu, 3 Feb 2022 12:01:31 -0500
Upstream: yes
References: bsc#1196503,CVE-2022-26127
Subject: [PATCH] babeld: fix #10487 by adding a check on packet length
The body length of a packet should satisfy the condition:
packetlen >= bodylen + 4. Otherwise, heap overflows may happen.
Signed-off-by: whichbug <whichbug@github.com>
diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b..3a29b6a60 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
static int
babel_packet_examin(const unsigned char *packet, int packetlen)
{
- unsigned i = 0, bodylen;
+ int i = 0, bodylen;
const unsigned char *message;
unsigned char type, len;
if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
return 1;
DO_NTOHS(bodylen, packet + 2);
+ if(bodylen + 4 > packetlen) {
+ debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
+ bodylen, packetlen);
+ return 1;
+ }
while (i < bodylen){
message = packet + 4 + i;
type = message[0];
@@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
DO_NTOHS(bodylen, packet + 2);
- if(bodylen + 4 > packetlen) {
- flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
- bodylen, packetlen);
- bodylen = packetlen - 4;
- }
-
i = 0;
while(i < bodylen) {
message = packet + 4 + i;
--
2.34.1
Reference in New Issue Copy Permalink