From: job Date: Fri, 30 Jul 2021 15:34:37 +0000 (+0000) Subject: Add checks when reading VRPs with a maxLength via RTR X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1eccb425429151dba6183280e853fbf072e4f528;p=openbsd Add checks when reading VRPs with a maxLength via RTR Ensure the maxLength is greater than or equal to the length of the accompanying prefix, and less than or equal to the length (in bits) of an IP address in the address family (32 for IPv4 and 128 for IPv6). The same checks are applied when reading VRPs from configuration on disk. OK claudio@ --- diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c index 4354a580f19..bce48bb41db 100644 --- a/usr.sbin/bgpd/rtr_proto.c +++ b/usr.sbin/bgpd/rtr_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtr_proto.c,v 1.1 2021/02/16 08:29:16 claudio Exp $ */ +/* $OpenBSD: rtr_proto.c,v 1.2 2021/07/30 15:34:37 job Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -449,6 +449,14 @@ rtr_parse_ipv4_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); return -1; } + if (ip4.prefixlen > ip4.maxlen || ip4.prefixlen > 32 || + ip4.maxlen > 32) { + log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", + log_rtr(rs), log_rtr_type(IPV4_PREFIX)); + rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen", + buf, len); + return -1; + } roa->aid = AID_INET; roa->prefixlen = ip4.prefixlen; roa->maxlen = ip4.maxlen; @@ -510,6 +518,14 @@ rtr_parse_ipv6_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); return -1; } + if (ip6.prefixlen > ip6.maxlen || ip6.prefixlen > 128 || + ip6.maxlen > 128) { + log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", + log_rtr(rs), log_rtr_type(IPV6_PREFIX)); + rtr_send_error(rs, CORRUPT_DATA, "bad prefixlen / maxlen", + buf, len); + return -1; + } roa->aid = AID_INET6; roa->prefixlen = ip6.prefixlen; roa->maxlen = ip6.maxlen;