File quagga-CVE-2016-2342-VPNv4-NLRI-memcpy-stack-ov... of Package quagga

Overview Repositories Revisions Requests Users Attributes Meta

File quagga-CVE-2016-2342-VPNv4-NLRI-memcpy-stack-overflow.patch of Package quagga (Revision cc12b273846aed258f77fceaca311339)

Currently displaying revision cc12b273846aed258f77fceaca311339 , Show latest

Index: quagga-0.99.22.1/bgpd/bgp_mplsvpn.c
===================================================================
--- quagga-0.99.22.1.orig/bgpd/bgp_mplsvpn.c
+++ quagga-0.99.22.1/bgpd/bgp_mplsvpn.c
@@ -102,6 +102,7 @@ bgp_nlri_parse_vpnv4 (struct peer *peer,
   pnt = packet->nlri;
   lim = pnt + packet->length;
 
+#define VPN_PREFIXLEN_MIN_BYTES (3 + 8) /* label + RD */
   for (; pnt < lim; pnt += psize)
     {
       /* Clear prefix structure. */
@@ -109,19 +110,40 @@ bgp_nlri_parse_vpnv4 (struct peer *peer,
 
       /* Fetch prefix length. */
       prefixlen = *pnt++;
-      p.family = AF_INET;
+      p.family = afi2family (packet->afi);
       psize = PSIZE (prefixlen);
-
-      if (prefixlen < 88)
-	{
-	  zlog_err ("prefix length is less than 88: %d", prefixlen);
-	  return -1;
-	}
-
+      
+      /* sanity check against packet data */
+      if (prefixlen < VPN_PREFIXLEN_MIN_BYTES*8 || (pnt + psize) > lim)
+        {
+          zlog_err ("prefix length (%d) is less than 88"
+                    " or larger than received (%u)",
+                    prefixlen, (uint)(lim-pnt));
+          return -1;
+        }
+      
+      /* sanity check against storage for the IP address portion */
+      if ((psize - VPN_PREFIXLEN_MIN_BYTES) > (ssize_t) sizeof(p.u))
+        {
+          zlog_err ("prefix length (%d) exceeds prefix storage (%zu)",
+                    prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, sizeof(p.u));
+          return -1;
+        }
+      
+      /* Sanity check against max bitlen of the address family */
+      if ((psize - VPN_PREFIXLEN_MIN_BYTES) > prefix_blen (&p))
+        {
+          zlog_err ("prefix length (%d) exceeds family (%u) max byte length (%u)",
+                    prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, 
+                    p.family, prefix_blen (&p));
+          return -1;
+                  
+        }
+      
       label = decode_label (pnt);
 
       /* Copyr label to prefix. */
-      tagpnt = pnt;;
+      tagpnt = pnt;
 
       /* Copy routing distinguisher to rd. */
       memcpy (&prd.val, pnt + 3, 8);
@@ -140,8 +162,9 @@ bgp_nlri_parse_vpnv4 (struct peer *peer,
 	  return -1;
 	}
 
-      p.prefixlen = prefixlen - 88;
-      memcpy (&p.u.prefix, pnt + 11, psize - 11);
+      p.prefixlen = prefixlen - VPN_PREFIXLEN_MIN_BYTES*8;
+      memcpy (&p.u.prefix, pnt + VPN_PREFIXLEN_MIN_BYTES, 
+              psize - VPN_PREFIXLEN_MIN_BYTES);
 
 #if 0
       if (type == RD_TYPE_AS)
@@ -152,9 +175,6 @@ bgp_nlri_parse_vpnv4 (struct peer *peer,
 		   rd_ip.val, inet_ntoa (p.u.prefix4), p.prefixlen);
 #endif /* 0 */
 
-      if (pnt + psize > lim)
-	return -1;
-
       if (attr)
 	bgp_update (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN,
 		    ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt, 0);
@@ -162,12 +182,12 @@ bgp_nlri_parse_vpnv4 (struct peer *peer,
 	bgp_withdraw (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN,
 		      ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt);
     }
-
   /* Packet length consistency check. */
   if (pnt != lim)
     return -1;
-
+  
   return 0;
+#undef VPN_PREFIXLEN_MIN_BYTES
 }
 
 int

Places

File quagga-CVE-2016-2342-VPNv4-NLRI-memcpy-stack-overflow.patch of Package quagga (Revision cc12b273846aed258f77fceaca311339)

Places