summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorjob <job@cvs.openbsd.org>2021-07-30 15:34:38 +0000
committerjob <job@cvs.openbsd.org>2021-07-30 15:34:38 +0000
commitba717c97b389218316c6ad6710545ff83db0c359 (patch)
treeaace8530a2020231f89feab8e0ce62dc5fd37bc6 /usr.sbin
parent85fcc489cc6a76b85b7b1df315c067834f4f9298 (diff)
Add checks when reading VRPs with a maxLength via RTR
Ensure the maxLength is greater than or equal to the length of the accompanying prefix, and less than or equal to the length (in bits) of an IP address in the address family (32 for IPv4 and 128 for IPv6). The same checks are applied when reading VRPs from configuration on disk. OK claudio@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/bgpd/rtr_proto.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c
index 4354a580f19..bce48bb41db 100644
--- a/usr.sbin/bgpd/rtr_proto.c
+++ b/usr.sbin/bgpd/rtr_proto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rtr_proto.c,v 1.1 2021/02/16 08:29:16 claudio Exp $ */
+/* $OpenBSD: rtr_proto.c,v 1.2 2021/07/30 15:34:37 job Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
@@ -449,6 +449,14 @@ rtr_parse_ipv4_prefix(struct rtr_session *rs, uint8_t *buf, size_t len)
rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0);
return -1;
}
+ if (ip4.prefixlen > ip4.maxlen || ip4.prefixlen > 32 ||
+ ip4.maxlen > 32) {
+ log_warnx("rtr: %s: received %s: bad prefixlen / maxlen",
+ log_rtr(rs), log_rtr_type(IPV4_PREFIX));
+ rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen",
+ buf, len);
+ return -1;
+ }
roa->aid = AID_INET;
roa->prefixlen = ip4.prefixlen;
roa->maxlen = ip4.maxlen;
@@ -510,6 +518,14 @@ rtr_parse_ipv6_prefix(struct rtr_session *rs, uint8_t *buf, size_t len)
rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0);
return -1;
}
+ if (ip6.prefixlen > ip6.maxlen || ip6.prefixlen > 128 ||
+ ip6.maxlen > 128) {
+ log_warnx("rtr: %s: received %s: bad prefixlen / maxlen",
+ log_rtr(rs), log_rtr_type(IPV6_PREFIX));
+ rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen",
+ buf, len);
+ return -1;
+ }
roa->aid = AID_INET6;
roa->prefixlen = ip6.prefixlen;
roa->maxlen = ip6.maxlen;