diff options
| author |   Filip Varga <filip.varga@pantheon.tech> | 2018-11-05 09:41:56 +0100 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2018-11-06 14:14:03 +0000 |
| commit | 3206bb15aa65f6b4bd933844cffc26967aab6ed6 (patch) | |
| tree | 7660dd9e43a2a6814f0baa1602c3b1b29229cf2c | |
| parent | 55c6c4a422f34365b2c32ad0a107a058aa64fd8d (diff) | |
VPP-1481: fixed tlv length checking & added tests
Change-Id: I9375bca5f5136c84d801dbd635929bb1c37d75b4
Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
| -rw-r--r-- | src/plugins/cdp/cdp_input.c | 12 | ||||
| -rw-r--r-- | test/test_cdp.py | 12 |
2 files changed, 19 insertions, 5 deletions
diff --git a/src/plugins/cdp/cdp_input.c b/src/plugins/cdp/cdp_input.c index dd3619cb8ac..a27113d18eb 100644 --- a/src/plugins/cdp/cdp_input.c +++ b/src/plugins/cdp/cdp_input.c @@ -93,8 +93,11 @@ format_text_tlv (u8 * s, va_list * va) s = format (s, "%s(%d): ", h->name, t->t); - for (i = 0; i < (t->l - sizeof (*t)); i++) - vec_add1 (s, t->v[i]); + if (t->l >= 4) + { + for (i = 0; i < (t->l - sizeof (*t)); i++) + vec_add1 (s, t->v[i]); + } vec_add1 (s, '\n'); return s; @@ -284,9 +287,14 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n) tlv->l = ntohs (tlv->l); /* tlv length includes t, l and v */ + + if (tlv->l < 4) + return CDP_ERROR_BAD_TLV; + cur += tlv->l; if ((cur - 1) > end) return CDP_ERROR_BAD_TLV; + /* * Only process known TLVs. In practice, certain * devices send tlv->t = 0xFF, perhaps as an EOF of sorts. diff --git a/test/test_cdp.py b/test/test_cdp.py index 3eec4a73244..ac42bf084a2 100644 --- a/test/test_cdp.py +++ b/test/test_cdp.py @@ -91,9 +91,15 @@ class TestCDP(VppTestCase): self.assert_equal(system, self.device_id, "CDP received invalid device id") - def test_send_cdp_bad_packet(self): + def test_cdp_underflow_tlv(self): + self.send_bad_packet(3, ".") + + def test_cdp_overflow_tlv(self): + self.send_bad_packet(8, ".") + + def send_bad_packet(self, l, v): self.logger.info(self.vapi.cli("cdp enable")) - self.send_packet(self.create_bad_packet(8, ".")) + self.send_packet(self.create_bad_packet(l, v)) errors = list(self.show_errors()) self.assertTrue(errors) @@ -102,7 +108,7 @@ class TestCDP(VppTestCase): for count, node, reason in errors: if (node == u'cdp-input' and reason == u'cdp packets with bad TLVs' and - int(count) == 1): + int(count) >= 1): expected_errors = True break |