From 460ee930d6dbce6e96ecbfcd568a291f31bae24e Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Fri, 18 Aug 2023 11:28:03 +0300 Subject: [PATCH] bgpd: Make sure we have enough data to read two bytes when validating AIGP Found when fuzzing: ``` ==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50 READ of size 2 at 0xffff77801ef7 thread T0 0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21) 1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2 2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3 3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7 4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10 ``` Reported-by: Iggy Frankovic Signed-off-by: Donatas Abraitis (cherry picked from commit f96201e104892e18493f24cf67bb713678e8237b) --- bgpd/bgp_attr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index bc8b33f7bed9..ff28979ef6a3 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -513,6 +513,7 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length) uint8_t *data = pnt; uint8_t tlv_type; uint16_t tlv_length; + uint8_t *end = data + length; if (length < 3) { zlog_err("Bad AIGP attribute length (MUST be minimum 3): %u", @@ -521,7 +522,13 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length) } while (length) { + size_t data_len = end - data; + tlv_type = *data; + + if (data_len - 1 < 2) + return false; + ptr_get_be16(data + 1, &tlv_length); (void)data;