From e4c67fba44a17523be29bfade903ee658b35c531 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Fri, 3 Jan 2020 12:55:09 -0500 Subject: [PATCH] zebra: Prevent zebra vxlan remote macip del buffer overflow ================================================================= ==13611==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9e5c8694 at pc 0x0000004d18ac bp 0x7ffe9e5c8330 sp 0x7ffe9e5c7ae0 WRITE of size 17 at 0x7ffe9e5c8694 thread T0 #0 0x4d18ab in __asan_memcpy (/usr/lib/frr/zebra+0x4d18ab) #1 0x7f16f04bd97f in stream_get2 /home/qlyoung/frr/lib/stream.c:277:2 #2 0x6410ec in zebra_vxlan_remote_macip_del /home/qlyoung/frr/zebra/zebra_vxlan.c:7718:4 #3 0x68fa98 in zserv_handle_commands /home/qlyoung/frr/zebra/zapi_msg.c:2611:3 #4 0x556add in main /home/qlyoung/frr/zebra/main.c:309:2 #5 0x7f16eea3bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x431249 in _start (/usr/lib/frr/zebra+0x431249) This decode is the result of a buffer overflow because we are not checking ipa_len. Signed-off-by: Donald Sharp --- zebra/zebra_vxlan.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/zebra/zebra_vxlan.c b/zebra/zebra_vxlan.c index 086b13d67096..68682c2e118f 100644 --- a/zebra/zebra_vxlan.c +++ b/zebra/zebra_vxlan.c @@ -7712,9 +7712,19 @@ void zebra_vxlan_remote_macip_del(ZAPI_HANDLER_ARGS) STREAM_GETL(s, vni); STREAM_GET(&macaddr.octet, s, ETH_ALEN); STREAM_GETL(s, ipa_len); + if (ipa_len) { + if (ipa_len != IPV4_MAX_BYTELEN && + ipa_len != IPV6_MAX_BYTELEN) { + if (IS_ZEBRA_DEBUG_VXLAN) + zlog_debug("ipa_len *must* be %d or %d bytes in length not %d", + IPV4_MAX_BYTELEN, + IPV6_MAX_BYTELEN, ipa_len); + goto stream_failure; + } ip.ipa_type = (ipa_len == IPV4_MAX_BYTELEN) ? IPADDR_V4 : IPADDR_V6; + STREAM_GET(&ip.ip.addr, s, ipa_len); } l += 4 + ETH_ALEN + 4 + ipa_len;