From 655071f44aab42e89bcece3a93da456fdd0d913a Mon Sep 17 00:00:00 2001 From: David Lamparter Date: Tue, 8 May 2012 13:32:53 +0200 Subject: isisd: don't overrun list of protocols isisd currently has a list of supported protocols as a fixed array of size 4. this can be overran, leading to an overwrite of the ipv4_addrs pointer. * isisd/isis_pdu.c: don't accept more protocols than there's space for Signed-off-by: David Lamparter --- isisd/isis_pdu.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'isisd/isis_pdu.c') diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c index ffc67178..bfa1e4e9 100644 --- a/isisd/isis_pdu.c +++ b/isisd/isis_pdu.c @@ -311,7 +311,7 @@ tlvs_to_adj_area_addrs (struct tlvs *tlvs, struct isis_adjacency *adj) } } -static void +static int tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { int i; @@ -321,6 +321,8 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) { tlv_nlpids = tlvs->nlpids; + if (tlv_nlpids->count > array_size (adj->nlpids.nlpids)) + return 1; adj->nlpids.count = tlv_nlpids->count; @@ -329,6 +331,7 @@ tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj) adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i]; } } + return 0; } static void @@ -548,7 +551,8 @@ process_p2p_hello (struct isis_circuit *circuit) /* which protocol are spoken ??? */ if (found & TLVFLAG_NLPID) - tlvs_to_adj_nlpids (&tlvs, adj); + if (tlvs_to_adj_nlpids (&tlvs, adj)) + return ISIS_ERROR; /* we need to copy addresses to the adj */ if (found & TLVFLAG_IPV4_ADDR) -- cgit v1.2.1