From 115a3ac59a16f9dcfee92eaecc79cd1fa3320e29 Mon Sep 17 00:00:00 2001 From: Filip Varga Date: Mon, 22 Oct 2018 12:36:58 +0200 Subject: VPP-1420 CDP check memory bounds fix Change-Id: I7951ffd050acb618dd20b86ae5946e1228ff5d79 Signed-off-by: Filip Varga --- src/plugins/cdp/cdp_input.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/cdp/cdp_input.c b/src/plugins/cdp/cdp_input.c index bce8eebe7b0..66ae97142c5 100644 --- a/src/plugins/cdp/cdp_input.c +++ b/src/plugins/cdp/cdp_input.c @@ -250,7 +250,7 @@ process_cdp_hdr (cdp_main_t * cm, cdp_neighbor_t * n, cdp_hdr_t * h) static int cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n) { - u8 *cur = n->last_rx_pkt; + u8 *end, *cur = n->last_rx_pkt; cdp_hdr_t *h; cdp_tlv_t *tlv; cdp_error_t e = CDP_ERROR_NONE; @@ -269,13 +269,24 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n) if (e) return e; + // there are no tlvs + if (vec_len (n->last_rx_pkt) <= 0) + return CDP_ERROR_BAD_TLV; + cur = (u8 *) (h + 1); + end = n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1; - while (cur < n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1) + // look ahead 4 bytes (u16 tlv->t + u16 tlv->l) + while (cur + 3 <= end) { tlv = (cdp_tlv_t *) cur; tlv->t = ntohs (tlv->t); tlv->l = ntohs (tlv->l); + + /* tlv length includes t, l and v */ + cur += tlv->l; + if ((cur - 1) > end) + return CDP_ERROR_BAD_TLV; /* * Only process known TLVs. In practice, certain * devices send tlv->t = 0xFF, perhaps as an EOF of sorts. @@ -288,10 +299,12 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n) if (e) return e; } - /* tlv length includes (t, l) */ - cur += tlv->l; } + // did not process all tlvs or none tlv processed + if ((cur - 1) != end) + return CDP_ERROR_BAD_TLV; + return CDP_ERROR_NONE; } -- cgit 1.2.3-korg