diff options
| author |   renato <renato@openbsd.org> | 2015-10-04 23:08:57 +0000 |
|---|---|---|
| committer | renato <renato@openbsd.org> | 2015-10-04 23:08:57 +0000 |
| commit | f90d6a5d10509af297d7617fd79fdbc5453571ce (patch) | |
| tree | 44dcbdac6903540b19775aa1d987e89817290ff9 /usr.sbin/eigrpd | |
| parent | Fix warnings and add safeguards to protect against corrupted data. (diff) | |
| download | wireguard-openbsd-f90d6a5d10509af297d7617fd79fdbc5453571ce.tar.xz wireguard-openbsd-f90d6a5d10509af297d7617fd79fdbc5453571ce.zip | |
Ignore IPv4 TLVs in IPv6 instances and vice-versa.
Diffstat (limited to 'usr.sbin/eigrpd')
| -rw-r--r-- | usr.sbin/eigrpd/eigrpe.h | 4 | ||||
| -rw-r--r-- | usr.sbin/eigrpd/packet.c | 27 | ||||
| -rw-r--r-- | usr.sbin/eigrpd/tlv.c | 27 |
3 files changed, 34 insertions, 24 deletions
diff --git a/usr.sbin/eigrpd/eigrpe.h b/usr.sbin/eigrpd/eigrpe.h index b7e43547a73..ea773ed58f7 100644 --- a/usr.sbin/eigrpd/eigrpe.h +++ b/usr.sbin/eigrpd/eigrpe.h @@ -1,4 +1,4 @@ -/* $OpenBSD: eigrpe.h,v 1.1 2015/10/02 04:26:47 renato Exp $ */ +/* $OpenBSD: eigrpe.h,v 1.2 2015/10/04 23:08:57 renato Exp $ */ /* * Copyright (c) 2015 Renato Westphal <renato@openbsd.org> @@ -167,7 +167,7 @@ int gen_mcast_seq_tlv(struct ibuf *, uint32_t); uint16_t len_route_tlv(struct rinfo *); int gen_route_tlv(struct ibuf *, struct rinfo *); struct tlv_parameter *tlv_decode_parameter(struct tlv *, char *); -int tlv_decode_seq(struct tlv *, char *, +int tlv_decode_seq(int, struct tlv *, char *, struct seq_addr_head *); struct tlv_sw_version *tlv_decode_sw_version(struct tlv *, char *); struct tlv_mcast_seq *tlv_decode_mcast_seq(struct tlv *, char *); diff --git a/usr.sbin/eigrpd/packet.c b/usr.sbin/eigrpd/packet.c index 7d16d4dd9e4..27a5f9e5c30 100644 --- a/usr.sbin/eigrpd/packet.c +++ b/usr.sbin/eigrpd/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.2 2015/10/04 23:00:10 renato Exp $ */ +/* $OpenBSD: packet.c,v 1.3 2015/10/04 23:08:57 renato Exp $ */ /* * Copyright (c) 2015 Renato Westphal <renato@openbsd.org> @@ -283,7 +283,6 @@ recv_packet(int af, union eigrpd_addr *src, union eigrpd_addr *dest, struct tlv_mcast_seq *tm = NULL; struct rinfo ri; struct rinfo_entry *re; - int route_af = 0; enum route_type route_type = 0; struct seq_addr_head seq_addr_list; struct rinfo_head rinfo_list; @@ -319,7 +318,7 @@ recv_packet(int af, union eigrpd_addr *src, union eigrpd_addr *dest, goto error; break; case TLV_TYPE_SEQ: - if (tlv_decode_seq(&tlv, buf, &seq_addr_list) < 0) + if (tlv_decode_seq(af, &tlv, buf, &seq_addr_list) < 0) goto error; break; case TLV_TYPE_SW_VERSION: @@ -334,26 +333,28 @@ recv_packet(int af, union eigrpd_addr *src, union eigrpd_addr *dest, case TLV_TYPE_IPV4_EXTERNAL: case TLV_TYPE_IPV6_INTERNAL: case TLV_TYPE_IPV6_EXTERNAL: - switch (ntohs(tlv.type)) { - case TLV_TYPE_IPV4_INTERNAL: - route_af = AF_INET; - route_type = EIGRP_ROUTE_INTERNAL; + /* silently ignore TLV from different address-family */ + if (af != AF_INET && + (ntohs(tlv.type) == TLV_TYPE_IPV4_INTERNAL || + ntohs(tlv.type) == TLV_TYPE_IPV4_EXTERNAL)) break; - case TLV_TYPE_IPV4_EXTERNAL: - route_af = AF_INET; - route_type = EIGRP_ROUTE_EXTERNAL; + if (af != AF_INET6 && + (ntohs(tlv.type) == TLV_TYPE_IPV6_INTERNAL || + ntohs(tlv.type) == TLV_TYPE_IPV6_EXTERNAL)) break; + + switch (ntohs(tlv.type)) { + case TLV_TYPE_IPV4_INTERNAL: case TLV_TYPE_IPV6_INTERNAL: - route_af = AF_INET6; route_type = EIGRP_ROUTE_INTERNAL; break; + case TLV_TYPE_IPV4_EXTERNAL: case TLV_TYPE_IPV6_EXTERNAL: - route_af = AF_INET6; route_type = EIGRP_ROUTE_EXTERNAL; break; } - if (tlv_decode_route(route_af, route_type, &tlv, buf, + if (tlv_decode_route(af, route_type, &tlv, buf, &ri) < 0) goto error; if ((re = calloc(1, sizeof(*re))) == NULL) diff --git a/usr.sbin/eigrpd/tlv.c b/usr.sbin/eigrpd/tlv.c index 40b6fb85380..c6670752da1 100644 --- a/usr.sbin/eigrpd/tlv.c +++ b/usr.sbin/eigrpd/tlv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlv.c,v 1.2 2015/10/04 23:00:10 renato Exp $ */ +/* $OpenBSD: tlv.c,v 1.3 2015/10/04 23:08:57 renato Exp $ */ /* * Copyright (c) 2015 Renato Westphal <renato@openbsd.org> @@ -272,7 +272,7 @@ tlv_decode_parameter(struct tlv *tlv, char *buf) } int -tlv_decode_seq(struct tlv *tlv, char *buf, +tlv_decode_seq(int af, struct tlv *tlv, char *buf, struct seq_addr_head *seq_addr_list) { uint16_t len; @@ -298,19 +298,27 @@ tlv_decode_seq(struct tlv *tlv, char *buf, if ((sa = calloc(1, sizeof(*sa))) == NULL) fatal("tlv_decode_seq"); - switch (alen) { - case INADDRSZ: - sa->af = AF_INET; + sa->af = af; + switch (af) { + case AF_INET: + if (alen != INADDRSZ) { + log_debug("%s: invalid address length"); + free(sa); + return (-1); + } memcpy(&sa->addr.v4, buf, sizeof(struct in_addr)); break; - case IN6ADDRSZ: - sa->af = AF_INET6; + case AF_INET6: + if (alen != IN6ADDRSZ) { + log_debug("%s: invalid address length"); + free(sa); + return (-1); + } memcpy(&sa->addr.v6, buf, sizeof(struct in6_addr)); break; default: - log_debug("%s: unknown address length", __func__); free(sa); - return (-1); + fatalx("tlv_decode_seq: unknown af"); } buf += alen; len -= alen; @@ -385,6 +393,7 @@ tlv_decode_route(int af, enum route_type type, struct tlv *tlv, char *buf, case AF_INET6: memcpy(&ri->nexthop.v6, buf + offset, sizeof(ri->nexthop.v6)); offset += sizeof(ri->nexthop.v6); + break; default: fatalx("tlv_decode_route: unknown af"); } |