Skip to content

bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE #13099

Closed
@melissa-cjt

Description

@melissa-cjt

Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
	if (STREAM_READABLE(peer->curr) < length) {
		flog_err(
			EC_BGP_ATTR_LEN,
			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
			length, STREAM_READABLE(peer->curr));
		return bgp_attr_malformed(args,
			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
			 args->total);
	}

	/* ignore reserved */
	stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior

Screenshots

Versions

  • OS Version:
  • Kernel:
  • FRR Version:

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions