Merge pull request #5337 from opensourcerouting/ldpd-buffer-overflow-7.1

author Sri Mohana Singamsetty <srimohans@gmail.com>

Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)

committer GitHub <noreply@github.com>

Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)
author Sri Mohana Singamsetty <srimohans@gmail.com>
Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)
committer GitHub <noreply@github.com>
Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)
diff --git a/ldpd/labelmapping.c b/ldpd/labelmapping.c

index 5e1b422a41638f20612b3aa65fc4f6368a39e8da..a656626356abe9a9ce8a9fbf18586bc5e38d78cb 100644 (file)
--- a/ldpd/labelmapping.c
+++ b/ldpd/labelmapping.c
@@ -723,6 +723,14 @@ tlv_decode_fec_elm(struct nbr *nbr, struct ldp_msg *msg, char *buf,
                 /* Prefix Length */
                 map->fec.prefix.prefixlen = buf[off];
                 off += sizeof(uint8_t);
+               if ((map->fec.prefix.af == AF_IPV4
+                    && map->fec.prefix.prefixlen > IPV4_MAX_PREFIXLEN)
+                   || (map->fec.prefix.af == AF_IPV6
+                       && map->fec.prefix.prefixlen > IPV6_MAX_PREFIXLEN)) {
+                       session_shutdown(nbr, S_BAD_TLV_VAL, msg->id,
+                           msg->type);
+                       return (-1);
+               }
                 if (len < off + PREFIX_SIZE(map->fec.prefix.prefixlen)) {
                         session_shutdown(nbr, S_BAD_TLV_LEN, msg->id,
                             msg->type);
author	Sri Mohana Singamsetty <srimohans@gmail.com>
	Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)
committer	GitHub <noreply@github.com>
	Fri, 15 Nov 2019 23:38:45 +0000 (15:38 -0800)