diff options
author | job <job@cvs.openbsd.org> | 2021-07-30 15:34:38 +0000 |
---|---|---|
committer | job <job@cvs.openbsd.org> | 2021-07-30 15:34:38 +0000 |
commit | ba717c97b389218316c6ad6710545ff83db0c359 (patch) | |
tree | aace8530a2020231f89feab8e0ce62dc5fd37bc6 /usr.sbin | |
parent | 85fcc489cc6a76b85b7b1df315c067834f4f9298 (diff) |
Add checks when reading VRPs with a maxLength via RTR
Ensure the maxLength is greater than or equal to the length of
the accompanying prefix, and less than or equal to the length
(in bits) of an IP address in the address family (32 for IPv4
and 128 for IPv6). The same checks are applied when reading VRPs
from configuration on disk.
OK claudio@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/bgpd/rtr_proto.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c index 4354a580f19..bce48bb41db 100644 --- a/usr.sbin/bgpd/rtr_proto.c +++ b/usr.sbin/bgpd/rtr_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtr_proto.c,v 1.1 2021/02/16 08:29:16 claudio Exp $ */ +/* $OpenBSD: rtr_proto.c,v 1.2 2021/07/30 15:34:37 job Exp $ */ /* * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org> @@ -449,6 +449,14 @@ rtr_parse_ipv4_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); return -1; } + if (ip4.prefixlen > ip4.maxlen || ip4.prefixlen > 32 || + ip4.maxlen > 32) { + log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", + log_rtr(rs), log_rtr_type(IPV4_PREFIX)); + rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen", + buf, len); + return -1; + } roa->aid = AID_INET; roa->prefixlen = ip4.prefixlen; roa->maxlen = ip4.maxlen; @@ -510,6 +518,14 @@ rtr_parse_ipv6_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); return -1; } + if (ip6.prefixlen > ip6.maxlen || ip6.prefixlen > 128 || + ip6.maxlen > 128) { + log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", + log_rtr(rs), log_rtr_type(IPV6_PREFIX)); + rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen", + buf, len); + return -1; + } roa->aid = AID_INET6; roa->prefixlen = ip6.prefixlen; roa->maxlen = ip6.maxlen; |