diff options
author | David Lamparter <equinox@opensourcerouting.org> | 2012-05-08 13:32:53 +0200 |
---|---|---|
committer | David Lamparter <equinox@opensourcerouting.org> | 2012-10-25 10:15:59 -0700 |
commit | 655071f44aab42e89bcece3a93da456fdd0d913a (patch) | |
tree | 85c195b18df1d6e64c59a5193791d2ae7333c4a0 | |
parent | 80a21dc60fa007bb00437fdc047c3e059232639f (diff) |
isisd: don't overrun list of protocols
isisd currently has a list of supported protocols as a fixed array of
size 4. this can be overran, leading to an overwrite of the ipv4_addrs
pointer.
* isisd/isis_pdu.c: don't accept more protocols than there's space for
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
-rw-r--r-- | isisd/isis_pdu.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c index ffc67178..bfa1e4e9 100644 --- a/isisd/isis_pdu.c +++ b/isisd/isis_pdu.c @@ -311,7 +311,7 @@ tlvs_to_adj_area_addrs (struct tlvs *tlvs, struct isis_adjacency *adj) } } -static void +static int tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { int i; @@ -321,6 +321,8 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { tlv_nlpids = tlvs->nlpids; + if (tlv_nlpids->count > array_size (adj->nlpids.nlpids)) + return 1; adj->nlpids.count = tlv_nlpids->count; @@ -329,6 +331,7 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i]; } } + return 0; } static void @@ -548,7 +551,8 @@ process_p2p_hello (struct isis_circuit *circuit) /* which protocol are spoken ??? */ if (found & TLVFLAG_NLPID) - tlvs_to_adj_nlpids (&tlvs, adj); + if (tlvs_to_adj_nlpids (&tlvs, adj)) + return ISIS_ERROR; /* we need to copy addresses to the adj */ if (found & TLVFLAG_IPV4_ADDR) |