summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Lamparter <equinox@opensourcerouting.org>2012-05-08 13:32:53 +0200
committerDavid Lamparter <equinox@opensourcerouting.org>2012-10-25 10:15:59 -0700
commit655071f44aab42e89bcece3a93da456fdd0d913a (patch)
tree85c195b18df1d6e64c59a5193791d2ae7333c4a0
parent80a21dc60fa007bb00437fdc047c3e059232639f (diff)
isisd: don't overrun list of protocols
isisd currently has a list of supported protocols as a fixed array of size 4. this can be overran, leading to an overwrite of the ipv4_addrs pointer. * isisd/isis_pdu.c: don't accept more protocols than there's space for Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
-rw-r--r--isisd/isis_pdu.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index ffc67178..bfa1e4e9 100644
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -311,7 +311,7 @@ tlvs_to_adj_area_addrs (struct tlvs *tlvs, struct isis_adjacency *adj)
}
}
-static void
+static int
tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
{
int i;
@@ -321,6 +321,8 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
{
tlv_nlpids = tlvs->nlpids;
+ if (tlv_nlpids->count > array_size (adj->nlpids.nlpids))
+ return 1;
adj->nlpids.count = tlv_nlpids->count;
@@ -329,6 +331,7 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i];
}
}
+ return 0;
}
static void
@@ -548,7 +551,8 @@ process_p2p_hello (struct isis_circuit *circuit)
/* which protocol are spoken ??? */
if (found & TLVFLAG_NLPID)
- tlvs_to_adj_nlpids (&tlvs, adj);
+ if (tlvs_to_adj_nlpids (&tlvs, adj))
+ return ISIS_ERROR;
/* we need to copy addresses to the adj */
if (found & TLVFLAG_IPV4_ADDR)