From 4a1bfe096cb2abb9eb738cd0511d7a2d3f62dbd3 Mon Sep 17 00:00:00 2001 From: Louis Scalbert Date: Mon, 2 Sep 2024 10:26:57 +0200 Subject: [PATCH] isisd: fix crash when reading asla isisd is crashing when reading a ASLA sub-TLV with Application Identifier Bit Mask length greater than 1 octet. Set a limit of 8 bytes in accordance with RFC9479 and check that the received value does not exceed the limit. Reported-by: Iggy Frankovic Link: https://www.rfc-editor.org/rfc/rfc9479.html#name-application-identifier-bit- Fixes: 5749ac83a8 ("isisd: add ASLA support") Signed-off-by: Louis Scalbert (cherry picked from commit f1bc6c5d81e8cc0d31ee61abb295193f30db4f5a) --- isisd/isis_tlvs.c | 13 +++++++++++-- isisd/isis_tlvs.h | 1 + 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c index 10223992585f..91762af4442c 100644 --- a/isisd/isis_tlvs.c +++ b/isisd/isis_tlvs.c @@ -1131,8 +1131,8 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len, uint8_t sabm_flag_len; /* User-defined App Identifier Bit Flags/Length */ uint8_t uabm_flag_len; - uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0}; - uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_LENGTH] = {0}; + uint8_t sabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 }; + uint8_t uabm[ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH] = { 0 }; uint8_t readable = subtlv_len; uint8_t subsubtlv_type; uint8_t subsubtlv_len; @@ -1163,6 +1163,15 @@ static int unpack_item_ext_subtlv_asla(uint16_t mtid, uint8_t subtlv_len, return -1; } + if ((asla->standard_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH) || + (asla->user_def_apps_length > ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH)) { + zlog_err("Standard or User-Defined Application Identifier Bit Mask Length greater than %u bytes. Received respectively a length of %u and %u bytes.", + ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH, + asla->standard_apps_length, asla->user_def_apps_length); + stream_forward_getp(s, readable); + return -1; + } + for (int i = 0; i < asla->standard_apps_length; i++) sabm[i] = stream_getc(s); for (int i = 0; i < asla->user_def_apps_length; i++) diff --git a/isisd/isis_tlvs.h b/isisd/isis_tlvs.h index 03e2b2edccca..e4c2d675ddf9 100644 --- a/isisd/isis_tlvs.h +++ b/isisd/isis_tlvs.h @@ -560,6 +560,7 @@ struct isis_ext_subtlvs { #define ISIS_SABM_FLAG_X 0x10 /* Flex-Algorithm - RFC9350 */ #define ASLA_APP_IDENTIFIER_BIT_LENGTH 1 +#define ASLA_APP_IDENTIFIER_BIT_MAX_LENGTH 8 #define ASLA_LEGACY_FLAG 0x80 #define ASLA_APPS_LENGTH_MASK 0x7f