isisd: don't overrun list of protocols
isisd currently has a list of supported protocols as a fixed array of
size 4. this can be overran, leading to an overwrite of the ipv4_addrs
pointer.
* isisd/isis_pdu.c: don't accept more protocols than there's space for
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index ffc6717..bfa1e4e 100644
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -311,7 +311,7 @@
}
}
-static void
+static int
tlvs_to_adj_nlpids (struct tlvs *tlvs, struct isis_adjacency *adj)
{
int i;
@@ -321,6 +321,8 @@
{
tlv_nlpids = tlvs->nlpids;
+ if (tlv_nlpids->count > array_size (adj->nlpids.nlpids))
+ return 1;
adj->nlpids.count = tlv_nlpids->count;
@@ -329,6 +331,7 @@
adj->nlpids.nlpids[i] = tlv_nlpids->nlpids[i];
}
}
+ return 0;
}
static void
@@ -548,7 +551,8 @@
/* which protocol are spoken ??? */
if (found & TLVFLAG_NLPID)
- tlvs_to_adj_nlpids (&tlvs, adj);
+ if (tlvs_to_adj_nlpids (&tlvs, adj))
+ return ISIS_ERROR;
/* we need to copy addresses to the adj */
if (found & TLVFLAG_IPV4_ADDR)