Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect checks on length in babeld #10502

Closed
db-sca opened this issue Feb 4, 2022 · 2 comments · Fixed by #10504
Closed

Incorrect checks on length in babeld #10502

db-sca opened this issue Feb 4, 2022 · 2 comments · Fixed by #10504

Comments

@db-sca
Copy link

db-sca commented Feb 4, 2022

The check at Line 310 is not correct. It should be i + len + 2 > bodylen rather than i + len > bodylen, because len does not include the first two bytes, i.e., message[0] and message[1]

frr/babeld/message.c

Lines 300 to 312 in ab68283

type = message[0];
if(type == MESSAGE_PAD1) {
i++;
continue;
}
if(i + 1 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
len = message[1];
if(i + len > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;

@db-sca
Copy link
Author

db-sca commented Feb 4, 2022

The check at Line 305 is also incorrect. It should be i + 2 > bodylen rather than i + 1 > bodylen.

You may feed the packet "2a:02:00:01:02" to the function to reproduce an overflow at Line 309.

@db-sca db-sca changed the title An incorrect check on length in babeld Incorrect checks on length in babeld Feb 4, 2022
qingkaishi added a commit to qingkaishi/frr that referenced this issue Feb 4, 2022
…n length

This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
qingkaishi added a commit to qingkaishi/frr that referenced this issue Feb 4, 2022
…n length

This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
mergify bot pushed a commit that referenced this issue Feb 8, 2022
This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
(cherry picked from commit c379335)
plsaranya pushed a commit to plsaranya/frr that referenced this issue Feb 28, 2022
…n length

This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
@qlyoung
Copy link
Member

qlyoung commented Mar 28, 2022

Assigned CVE-2022-26128 with a score of 7.8.

No assessment of exploitability has been made.

Please see my comment here.

patrasar pushed a commit to patrasar/frr that referenced this issue Apr 28, 2022
…n length

This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
gpnaveen pushed a commit to gpnaveen/frr that referenced this issue Jun 7, 2022
…n length

This patch repairs the checking conditions on length in four functions:
babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants