bgpd: fix illegal memory access in bgp_ls_tlv_check_size()

Fix illegal memory access bgp_ls_tlv_check_size() if type is 1253. > CID 1568377 (#4 of 4): Out-of-bounds read (OVERRUN) > 5. overrun-local: Overrunning array bgp_linkstate_tlv_infos of 1253 16-byte elements at element index 1253 (byte offset 20063) using index type (which evaluates to 1253). Fixes: 7e0d9ff ("bgpd: display link-state prefixes detail") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
qlyoung · Sep 28, 2023 · dae5791 · dae5791
1 parent eb9e286
commit dae5791
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/bgpd/bgp_linkstate_tlv.c b/bgpd/bgp_linkstate_tlv.c
@@ -31,7 +31,7 @@ struct bgp_linkstate_tlv_info {
 #define UNDEF_MULTPL 1
 
 /* clang-format off */
-struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX] = {
+struct bgp_linkstate_tlv_info bgp_linkstate_tlv_infos[BGP_LS_TLV_MAX + 1] = {
 	/* NLRI TLV */
 	[BGP_LS_TLV_LOCAL_NODE_DESCRIPTORS] = {"Local Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
 	[BGP_LS_TLV_REMOTE_NODE_DESCRIPTORS] = {"Remote Node Descriptors", 1, MAX_SZ, UNDEF_MULTPL},
@@ -1706,7 +1706,7 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
 			json_tlv = json_object_new_object();
 			json_object_object_add(json, tlv_type, json_tlv);
 
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL)
 				json_object_string_add(
 					json_tlv, "description",
@@ -1721,15 +1721,15 @@ void bgp_linkstate_tlv_attribute_display(struct vty *vty,
 					"too high length received: %u", length);
 				break;
 			}
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL &&
 			    !bgp_ls_tlv_check_size(type, length))
 				json_object_string_addf(
 					json_tlv, "error",
 					"unexpected length received: %u",
 					length);
 		} else {
-			if (type < BGP_LS_TLV_MAX &&
+			if (type <= BGP_LS_TLV_MAX &&
 			    bgp_linkstate_tlv_infos[type].descr != NULL)
 				vty_out(vty, "%*s%s: ", indent, "",
 					bgp_linkstate_tlv_infos[type].descr);

diff --git a/bgpd/bgp_linkstate_tlv.h b/bgpd/bgp_linkstate_tlv.h
@@ -197,7 +197,7 @@ enum bgp_linkstate_tlv {
 		1251, /* draft-ietf-idr-bgpls-srv6-ext-08 */
 	BGP_LS_TLV_SRV6_SID_STRUCTURE_TLV =
 		1252,	       /* draft-ietf-idr-bgpls-srv6-ext-08 */
-	BGP_LS_TLV_MAX = 1253, /* max TLV value for table size*/
+	BGP_LS_TLV_MAX = 1252, /* max TLV value for table size*/
 };
 
 /* RFC7752 #3.2.1.4 IGP router-ID */