zebra: Prevent zebra vxlan remote macip del buffer overflow

================================================================= ==13611==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9e5c8694 at pc 0x0000004d18ac bp 0x7ffe9e5c8330 sp 0x7ffe9e5c7ae0 WRITE of size 17 at 0x7ffe9e5c8694 thread T0 #0 0x4d18ab in __asan_memcpy (/usr/lib/frr/zebra+0x4d18ab) #1 0x7f16f04bd97f in stream_get2 /home/qlyoung/frr/lib/stream.c:277:2 #2 0x6410ec in zebra_vxlan_remote_macip_del /home/qlyoung/frr/zebra/zebra_vxlan.c:7718:4 #3 0x68fa98 in zserv_handle_commands /home/qlyoung/frr/zebra/zapi_msg.c:2611:3 #4 0x556add in main /home/qlyoung/frr/zebra/main.c:309:2 #5 0x7f16eea3bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x431249 in _start (/usr/lib/frr/zebra+0x431249) This decode is the result of a buffer overflow because we are not checking ipa_len. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
qlyoung · Jan 7, 2020 · 4824d14 · 4824d14
1 parent 19b3676
commit 4824d14
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/zebra/zebra_vxlan.c b/zebra/zebra_vxlan.c
@@ -7712,9 +7712,20 @@ void zebra_vxlan_remote_macip_del(ZAPI_HANDLER_ARGS)
 		STREAM_GETL(s, vni);
 		STREAM_GET(&macaddr.octet, s, ETH_ALEN);
 		STREAM_GETL(s, ipa_len);
+
 		if (ipa_len) {
-			ip.ipa_type = (ipa_len == IPV4_MAX_BYTELEN) ? IPADDR_V4
-								    : IPADDR_V6;
+			if (ipa_len == IPV4_MAX_BYTELEN)
+				ip.ipa_type = IPADDR_V4;
+			else if (ipa_len == IPV6_MAX_BYTELEN)
+				ip.ipa_type = IPADDR_V6;
+			else {
+				if (IS_ZEBRA_DEBUG_VXLAN)
+					zlog_debug("ipa_len *must* be %d or %d bytes in length not %d",
+						   IPV4_MAX_BYTELEN,
+						   IPV6_MAX_BYTELEN, ipa_len);
+				goto stream_failure;
+			}
+
 			STREAM_GET(&ip.ip.addr, s, ipa_len);
 		}
 		l += 4 + ETH_ALEN + 4 + ipa_len;