New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
babeld: bugs in parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv #10503
Comments
|
Lines 179 to 201 in e743c1b
Line 185: it should be Line 191: the condition should be Line 197: the condition should be |
|
Lines 224 to 247 in e743c1b
Line 231: it should be Line 237: the condition should be Line 243: the condition should be |
|
Hi @qingkaishi, thanks for letting everyone know about the issues. |
Sure. I will do that soon. |
|
Thanks! |
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com> (cherry picked from commit c379335)
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
|
This has been assigned CVE-2022-26129 with a severity score of 7.8. No assessment of exploitability has been made. Please see my comment here. |
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
…n length This patch repairs the checking conditions on length in four functions: babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv Signed-off-by: qingkaishi <qingkaishi@gmail.com>
frr/babeld/message.c
Lines 131 to 151 in e743c1b
Line 143: the condition should be
i + 1 >= aleninstead ofi + 1 > alen. Otherwise, overflows will happen at 147.Line 148: the condition should be
i + len + 2 > aleninstead ofi + len > alen. We need include extra two bytes, a[i] and a[i + 1] in this check.The text was updated successfully, but these errors were encountered: