Headline
CVE-2022-26127: Miss a check on length in Babel · Issue #10487 · FRRouting/frr
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.
The code below misses a check on the relationship between packetlen and bodylen before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.
babel_packet_examin(const unsigned char *packet, int packetlen)
{
unsigned i = 0, bodylen;
const unsigned char *message;
unsigned char type, len;
if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
return 1;
DO_NTOHS(bodylen, packet + 2);
while (i < bodylen){
message = packet + 4 + i;
type = message[0];
if(type == MESSAGE_PAD1) {
i++;
continue;
}
if(i + 1 > bodylen) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
len = message[1];
To fix, we may put the code below before the while loop:
if (packetlen < bodylen + 4) {
debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
return 1;
}
The output of the address sanitizer:
==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
READ of size 1 at 0x603000000114 thread T0
#0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
#1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9