Skip to content

Commit

Permalink
zebra: Prevent zebra vxlan remote macip del buffer overflow
Browse files Browse the repository at this point in the history
=================================================================
==13611==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9e5c8694 at pc 0x0000004d18ac bp 0x7ffe9e5c8330 sp 0x7ffe9e5c7ae0
WRITE of size 17 at 0x7ffe9e5c8694 thread T0
    #0 0x4d18ab in __asan_memcpy (/usr/lib/frr/zebra+0x4d18ab)
    #1 0x7f16f04bd97f in stream_get2 /home/qlyoung/frr/lib/stream.c:277:2
    #2 0x6410ec in zebra_vxlan_remote_macip_del /home/qlyoung/frr/zebra/zebra_vxlan.c:7718:4
    #3 0x68fa98 in zserv_handle_commands /home/qlyoung/frr/zebra/zapi_msg.c:2611:3
    #4 0x556add in main /home/qlyoung/frr/zebra/main.c:309:2
    #5 0x7f16eea3bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x431249 in _start (/usr/lib/frr/zebra+0x431249)

This decode is the result of a buffer overflow because we are
not checking ipa_len.

Signed-off-by: Donald Sharp <[email protected]>
  • Loading branch information
donaldsharp authored and qlyoung committed Jan 3, 2020
1 parent 8ba5773 commit af99e93
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions zebra/zebra_vxlan.c
Original file line number Diff line number Diff line change
Expand Up @@ -7712,9 +7712,19 @@ void zebra_vxlan_remote_macip_del(ZAPI_HANDLER_ARGS)
STREAM_GETL(s, vni);
STREAM_GET(&macaddr.octet, s, ETH_ALEN);
STREAM_GETL(s, ipa_len);

if (ipa_len) {
if (ipa_len != IPV4_MAX_BYTELEN &&
ipa_len != IPV6_MAX_BYTELEN) {
if (IS_ZEBRA_DEBUG_VXLAN)
zlog_debug("ipa_len *must* be %d or %d bytes in length not %d",
IPV4_MAX_BYTELEN,
IPV6_MAX_BYTELEN, ipa_len);
goto stream_failure;
}
ip.ipa_type = (ipa_len == IPV4_MAX_BYTELEN) ? IPADDR_V4
: IPADDR_V6;

STREAM_GET(&ip.ip.addr, s, ipa_len);
}
l += 4 + ETH_ALEN + 4 + ipa_len;
Expand Down

0 comments on commit af99e93

Please sign in to comment.