Headline
CVE-2022-26125: isisd: overflow bugs in unpack_tlv_router_cap · Issue #10507 · FRRouting/frr
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.
subtlv_len = tlv_len - ISIS_ROUTER_CAP_SIZE;
while (subtlv_len > 2) {
uint8_t msd_type;
type = stream_getc(s);
length = stream_getc(s);
switch (type) {
case ISIS_SUBTLV_SID_LABEL_RANGE:
/* Check that SRGB is correctly formated */
if (length < SUBTLV_RANGE_LABEL_SIZE
|| length > SUBTLV_RANGE_INDEX_SIZE) {
stream_forward_getp(s, length);
continue;
}
/* Only one SRGB is supported. Skip subsequent one */
if (rcap->srgb.range_size != 0) {
stream_forward_getp(s, length);
continue;
}
rcap->srgb.flags = stream_getc(s);
rcap->srgb.range_size = stream_get3(s);
/* Skip Type and get Length of SID Label */
stream_getc(s);
size = stream_getc(s);
if (size == ISIS_SUBTLV_SID_LABEL_SIZE)
rcap->srgb.lower_bound = stream_get3(s);
else
rcap->srgb.lower_bound = stream_getl(s);
/* SRGB sanity checks. */
if (rcap->srgb.range_size == 0
|| (rcap->srgb.lower_bound <= MPLS_LABEL_RESERVED_MAX)
|| ((rcap->srgb.lower_bound + rcap->srgb.range_size - 1)
> MPLS_LABEL_UNRESERVED_MAX)) {
sbuf_push(log, indent, “Invalid label range. Reset SRGB\n”);
rcap->srgb.lower_bound = 0;
rcap->srgb.range_size = 0;
}
/* Only one range is supported. Skip subsequent one */
size = length - (size + SUBTLV_SR_BLOCK_SIZE);
if (size > 0)
stream_forward_getp(s, length);
break;
case ISIS_SUBTLV_ALGORITHM:
/* Only 2 algorithms are supported: SPF & Strict SPF */
stream_get(&rcap->algo, s,
length > SR_ALGORITHM_COUNT
? SR_ALGORITHM_COUNT
: length);
if (length > SR_ALGORITHM_COUNT)
stream_forward_getp(
s, length - SR_ALGORITHM_COUNT);
break;
case ISIS_SUBTLV_SRLB:
/* Check that SRLB is correctly formated */
if (length < SUBTLV_RANGE_LABEL_SIZE
|| length > SUBTLV_RANGE_INDEX_SIZE) {
stream_forward_getp(s, length);
continue;
}
/* RFC 8667 section #3.3: Only one SRLB is authorized */
if (rcap->srlb.range_size != 0) {
stream_forward_getp(s, length);
continue;
}
/* Ignore Flags which are not defined */
stream_getc(s);
rcap->srlb.range_size = stream_get3(s);
/* Skip Type and get Length of SID Label */
stream_getc(s);
size = stream_getc(s);
if (size == ISIS_SUBTLV_SID_LABEL_SIZE)
rcap->srlb.lower_bound = stream_get3(s);
else
rcap->srlb.lower_bound = stream_getl(s);
/* SRLB sanity checks. */
if (rcap->srlb.range_size == 0
|| (rcap->srlb.lower_bound <= MPLS_LABEL_RESERVED_MAX)
|| ((rcap->srlb.lower_bound + rcap->srlb.range_size - 1)
> MPLS_LABEL_UNRESERVED_MAX)) {
sbuf_push(log, indent, “Invalid label range. Reset SRLB\n”);
rcap->srlb.lower_bound = 0;
rcap->srlb.range_size = 0;
}
/* Only one range is supported. Skip subsequent one */
size = length - (size + SUBTLV_SR_BLOCK_SIZE);
if (size > 0)
stream_forward_getp(s, length);
break;
case ISIS_SUBTLV_NODE_MSD:
/* Check that MSD is correctly formated */
if (length < MSD_TLV_SIZE) {
stream_forward_getp(s, length);
continue;
}
msd_type = stream_getc(s);
rcap->msd = stream_getc(s);
/* Only BMI-MSD type has been defined in RFC 8491 */
if (msd_type != MSD_TYPE_BASE_MPLS_IMPOSITION)
rcap->msd = 0;
/* Only one MSD is standardized. Skip others */
if (length > MSD_TLV_SIZE)
stream_forward_getp(s, length - MSD_TLV_SIZE);
break;
default:
stream_forward_getp(s, length);
break;
}
subtlv_len = subtlv_len - length - 2;
}