New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect checks on length in babeld #10502
Comments
|
The check at Line 305 is also incorrect. It should be You may feed the packet "2a:02:00:01:02" to the function to reproduce an overflow at Line 309. |
qingkaishi
added a commit
to qingkaishi/frr
that referenced
this issue
Feb 4, 2022
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
qingkaishi
added a commit
to qingkaishi/frr
that referenced
this issue
Feb 4, 2022
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
mergify bot
pushed a commit
that referenced
this issue
Feb 8, 2022
This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com> (cherry picked from commit c379335)
plsaranya
pushed a commit
to plsaranya/frr
that referenced
this issue
Feb 28, 2022
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
|
Assigned CVE-2022-26128 with a score of 7.8. No assessment of exploitability has been made. Please see my comment here. |
patrasar
pushed a commit
to patrasar/frr
that referenced
this issue
Apr 28, 2022
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
gpnaveen
pushed a commit
to gpnaveen/frr
that referenced
this issue
Jun 7, 2022
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The check at Line 310 is not correct. It should be
i + len + 2 > bodylenrather thani + len > bodylen, becauselendoes not include the first two bytes, i.e.,message[0]andmessage[1]frr/babeld/message.c
Lines 300 to 312 in ab68283
The text was updated successfully, but these errors were encountered: