Closed
Description
Describe the bug
[x ] Did you check if this is a duplicate issue?
[x ] Did you test it on the latest FRRouting/frr master branch?
I find that frrouting can accpet malformed eigrp hello paramter tlv and verison tlv. Frrouting dosen't check the completeness of the tlv.
In eigrp_hello_parameter_decode() and eigrp_sw_version_decode() , there are no check whether the input message has enough field for these tlv. The parameter tlv must have 12 bytes, while we can make a packet smaller than 12 bytes and the frrouting accept it and show in vtysh.
eigrp_hello_parameter_decode(struct eigrp_neighbor *nbr, struct eigrp_tlv_hdr_type *tlv)
{
struct eigrp *eigrp = nbr->ei->eigrp;
struct TLV_Parameter_Type *param = (struct TLV_Parameter_Type *)tlv;
/* copy over the values passed in by the neighbor */
nbr->K1 = param->K1;
nbr->K2 = param->K2;
nbr->K3 = param->K3;
nbr->K4 = param->K4;
nbr->K5 = param->K5;
nbr->K6 = param->K6;
nbr->v_holddown = ntohs(param->hold_time);
To Reproduce
1.configure
frr eigrp 192.168.1.200
router eigrp 7675
network 192.168.1.0/24
- runnging
I make a eigrp hello message containing parameter tlv with len 11 and holdtime field is 0x0f. (00 01 00 0b 01 00 01 00 00 00 0f) - result
I used show ip eigrp neighors details in vtysh, it shows hold time is 3836. It overread one byte in vtysh.
# show ip eigrp neighbors detail
EIGRP neighbors for AS(7675)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.100 ens33 **3836** 0 0 2 1 0
Version 0.0/0.0, Retrans: 1, Retries: 0, Waiting for Init
Version tlv has the same problem. The srcipt and pcap is in the script.zip
Expected behavior
Screenshots
Versions
- OS Version:
- Kernel:
- FRR Version:7.3
Additional context