Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eigrpd: validate TLV lengths #8565

Merged
merged 1 commit into from
Apr 26, 2021
Merged

eigrpd: validate TLV lengths #8565

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 27 additions & 2 deletions eigrpd/eigrp_hello.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ eigrp_hello_parameter_decode(struct eigrp_neighbor *nbr,
struct eigrp *eigrp = nbr->ei->eigrp;
struct TLV_Parameter_Type *param = (struct TLV_Parameter_Type *)tlv;

/* First validate TLV length */
if (tlv->length < sizeof(struct TLV_Parameter_Type))
return NULL;

/* copy over the values passed in by the neighbor */
nbr->K1 = param->K1;
nbr->K2 = param->K2;
Expand Down Expand Up @@ -194,13 +198,22 @@ eigrp_hello_authentication_decode(struct stream *s,

md5 = (struct TLV_MD5_Authentication_Type *)tlv_header;

if (md5->auth_type == EIGRP_AUTH_TYPE_MD5)
if (md5->auth_type == EIGRP_AUTH_TYPE_MD5) {
/* Validate tlv length */
if (md5->length < sizeof(struct TLV_MD5_Authentication_Type))
return 0;

return eigrp_check_md5_digest(s, md5, nbr,
EIGRP_AUTH_BASIC_HELLO_FLAG);
else if (md5->auth_type == EIGRP_AUTH_TYPE_SHA256)
} else if (md5->auth_type == EIGRP_AUTH_TYPE_SHA256) {
/* Validate tlv length */
if (md5->length < sizeof(struct TLV_SHA256_Authentication_Type))
return 0;

return eigrp_check_sha256_digest(
s, (struct TLV_SHA256_Authentication_Type *)tlv_header,
nbr, EIGRP_AUTH_BASIC_HELLO_FLAG);
}

return 0;
}
Expand All @@ -223,6 +236,10 @@ static void eigrp_sw_version_decode(struct eigrp_neighbor *nbr,
{
struct TLV_Software_Type *version = (struct TLV_Software_Type *)tlv;

/* Validate TLV length */
if (tlv->length < sizeof(struct TLV_Software_Type))
return;

nbr->os_rel_major = version->vender_major;
nbr->os_rel_minor = version->vender_minor;
nbr->tlv_rel_major = version->eigrp_major;
Expand Down Expand Up @@ -250,6 +267,10 @@ static void eigrp_peer_termination_decode(struct eigrp_neighbor *nbr,
struct TLV_Peer_Termination_type *param =
(struct TLV_Peer_Termination_type *)tlv;

/* Validate TLV length */
if (tlv->length < sizeof(struct TLV_Peer_Termination_type))
return;

uint32_t my_ip = nbr->ei->address.u.prefix4.s_addr;
uint32_t received_ip = param->neighbor_ip;

Expand Down Expand Up @@ -346,6 +367,10 @@ void eigrp_hello_receive(struct eigrp *eigrp, struct ip *iph,
type = ntohs(tlv_header->type);
length = ntohs(tlv_header->length);

/* Validate length against packet size */
if (length > size)
return;

if ((length > 0) && (length <= size)) {
if (IS_DEBUG_EIGRP_PACKET(0, RECV))
zlog_debug(
Expand Down