pool/frr
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3ecf89a58c
frr/0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
Martin Hauke 96a81d154e Accepting request 958040 from home:mtomaschewski:frr 
- Apply fix for a buffer overflow in isisd due to the use of strdup
  with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
  [+ 0006-isisd-fix-10505-using-base64-encoding.patch]
- Apply fix for a buffer overflow in isisd due to wrong checks on
  the input packet length (bsc#1196505,CVE-2022-26125) with workaround
  for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
  [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
- Apply fix for a buffer overflow in babeld due to wrong checks on
  the input packet length in the packet_examin and subtlv parsing
  (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
  [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
- Apply fix for a heap buffer overflow in babeld due to missing check
  on the input packet length (bsc#1196503,CVE-2022-26127)
  [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]

OBS-URL: https://build.opensuse.org/request/show/958040
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=37
2022-02-28 19:21:42 +00:00

96 lines
2.9 KiB
Diff
Raw Blame History

From c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 Mon Sep 17 00:00:00 2001
From: qingkaishi <qingkaishi@gmail.com>
Date: Fri, 4 Feb 2022 16:41:11 -0500
Upstream: yes
References: bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129
Subject: [PATCH] babeld: fix #10502 #10503 by repairing the checks on length
This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv
Signed-off-by: qingkaishi <qingkaishi@gmail.com>
diff --git a/babeld/message.c b/babeld/message.c
index 5c2e29d8b..053538700 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
return;
}
@@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0;
while(i < alen) {
- type = a[0];
+ type = a[i];
if(type == SUBTLV_PAD1) {
i++;
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message.");
return -1;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on Hello message.");
return -1;
@@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
int type, len, i = 0, ret = 0;
while(i < alen) {
- type = a[0];
+ type = a[i];
if(type == SUBTLV_PAD1) {
i++;
continue;
}
- if(i + 1 > alen) {
+ if(i + 1 >= alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message.");
return -1;
}
len = a[i + 1];
- if(i + len > alen) {
+ if(i + len + 2 > alen) {
flog_err(EC_BABEL_PACKET,
"Received truncated sub-TLV on IHU message.");
return -1;
@@ -302,12 +302,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
i++;
continue;
}
- if(i + 1 > bodylen) {
+ if(i + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
len = message[1];
- if(i + len > bodylen) {
+ if(i + len + 2 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink