From 38774fc5e6b8da326bbe3700d7d54498aedb154a Mon Sep 17 00:00:00 2001 From: Hiroki Shirokura Date: Mon, 3 Feb 2020 23:25:26 +0000 Subject: [PATCH] bgpd: fix Prefix-SID parse error Prefix-SID is desined to capable for TLV array. That behaviour is important to support SR-MPLS feature and that supported by previous PR #5418. In that implementation, but if some additional data (such as next BGP update message or next path attributes) was present after Prefix-SID path attribute, bgpd will parse that addional data as Prefix-SID TLV. This commit fix that. before this commit, loop condition is determed by stream is readable or not. In more correct implementatoin, the prefix-sid boundaly should be checked additonally. the length of Prefix-sid path attribute can be get by bgp_attr_parse_args. Signed-off-by: Hiroki Shirokura --- bgpd/bgp_attr.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index f00bb2b3c..2bbcade8e 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2590,8 +2590,10 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args, uint8_t type; uint16_t length; size_t headersz = sizeof(type) + sizeof(length); + size_t psid_parsed_length = 0; - while (STREAM_READABLE(peer->curr) > 0) { + while (STREAM_READABLE(peer->curr) > 0 + && psid_parsed_length < args->length) { if (STREAM_READABLE(peer->curr) < headersz) { flog_err( @@ -2621,6 +2623,19 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args, if (ret != BGP_ATTR_PARSE_PROCEED) return ret; + + psid_parsed_length += length + headersz; + + if (psid_parsed_length > args->length) { + flog_err( + EC_BGP_ATTR_LEN, + "Malformed Prefix SID attribute - TLV overflow by attribute (need %zu" + " for TLV length, have %zu overflowed in UPDATE)", + length + headersz, psid_parsed_length - (length + headersz)); + return bgp_attr_malformed( + args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, + args->total); + } } return BGP_ATTR_PARSE_PROCEED; -- 2.39.5