summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFilip Varga <fivarga@cisco.com>2018-10-22 12:36:58 +0200
committerDamjan Marion <dmarion@me.com>2018-10-22 11:52:44 +0000
commit115a3ac59a16f9dcfee92eaecc79cd1fa3320e29 (patch)
tree8d3a0c5fa52c10a45a6697b1219676a877a5552f /src
parent31555a3475a37195938378217a635b3451e449de (diff)
VPP-1420 CDP check memory bounds fix
Change-Id: I7951ffd050acb618dd20b86ae5946e1228ff5d79 Signed-off-by: Filip Varga <fivarga@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/plugins/cdp/cdp_input.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/src/plugins/cdp/cdp_input.c b/src/plugins/cdp/cdp_input.c
index bce8eebe7b0..66ae97142c5 100644
--- a/src/plugins/cdp/cdp_input.c
+++ b/src/plugins/cdp/cdp_input.c
@@ -250,7 +250,7 @@ process_cdp_hdr (cdp_main_t * cm, cdp_neighbor_t * n, cdp_hdr_t * h)
static int
cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n)
{
- u8 *cur = n->last_rx_pkt;
+ u8 *end, *cur = n->last_rx_pkt;
cdp_hdr_t *h;
cdp_tlv_t *tlv;
cdp_error_t e = CDP_ERROR_NONE;
@@ -269,13 +269,24 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n)
if (e)
return e;
+ // there are no tlvs
+ if (vec_len (n->last_rx_pkt) <= 0)
+ return CDP_ERROR_BAD_TLV;
+
cur = (u8 *) (h + 1);
+ end = n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1;
- while (cur < n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1)
+ // look ahead 4 bytes (u16 tlv->t + u16 tlv->l)
+ while (cur + 3 <= end)
{
tlv = (cdp_tlv_t *) cur;
tlv->t = ntohs (tlv->t);
tlv->l = ntohs (tlv->l);
+
+ /* tlv length includes t, l and v */
+ cur += tlv->l;
+ if ((cur - 1) > end)
+ return CDP_ERROR_BAD_TLV;
/*
* Only process known TLVs. In practice, certain
* devices send tlv->t = 0xFF, perhaps as an EOF of sorts.
@@ -288,10 +299,12 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n)
if (e)
return e;
}
- /* tlv length includes (t, l) */
- cur += tlv->l;
}
+ // did not process all tlvs or none tlv processed
+ if ((cur - 1) != end)
+ return CDP_ERROR_BAD_TLV;
+
return CDP_ERROR_NONE;
}