CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are 8 places where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,

uint8_t rcv_id_len, const char *raw_pdu,

size_t raw_pdu_len)

{

const char *xpath = "/frr-isisd:id-len-mismatch";

struct list *arguments = yang_data_list_new();

char xpath_arg[XPATH_MAXLEN];

struct yang_data *data;

struct isis_area *area = circuit->area;

notif_prep_instance_hdr(xpath, area, "default", arguments);

notif_prepr_iface_hdr(xpath, circuit, arguments);

snprintf(xpath_arg, sizeof(xpath_arg), "%s/pdu-field-len", xpath);

data = yang_data_new_uint8(xpath_arg, rcv_id_len);

listnode_add(arguments, data);

snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);

data = yang_data_new(xpath_arg, raw_pdu);

listnode_add(arguments, data);

What follows is the output of the address sanitizer:

==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
READ of size 23 at 0x7ffe596a3a76 thread T0
    #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
    #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
    #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
    #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3