-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
isisd: misusing strdup leads to stack overflow #10505
Comments
@idryzhov Could you also have a look at this issue? |
Hi @whichbug, I checked the issue. The problem here is that we're trying to represent binary data as a simple string, which is wrong. The only correct solution here would be to implement new function |
Hi, @idryzhov thanks for your reply. I think your idea makes sense and I will try. |
Nice find. By the way, when you find issues like this, if you want you can just submit a pull request without filing an issue. We patch these kinds of things regularly without making an issue, since the pull request itself is records of both the issue and the appropriate fix for it. It's a little easier for us since we can track it in one place, and it helps keep our issues a little cleaner. It's up to you though. |
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Sure. Many thanks! |
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
This is now filed as CVE-2022-26126, with an assigned severity score of 7.8. No assessment of exploitability has been made. Please see my comment here. |
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
Using base64 instead of the raw string to encode the binary data. Signed-off-by: whichbug <whichbug@github.com>
At Line 470 in the code below, we call
yang_data_new
, which will further callstrdup(raw_pdu)
. However,raw_pdu
is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow instrdup
. When I setraw_pdu[raw_pdu_len - 1]
to\0
, then the bug disappears. Note thatstrdup
should be used with a C-string.In the same file,
isis_nb_notifications.c
, there are 8 places whereyang_data_new
are used withraw_pdu
and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.frr/isisd/isis_nb_notifications.c
Lines 454 to 471 in eef8006
What follows is the output of the address sanitizer:
The text was updated successfully, but these errors were encountered: