ospf: ensure a sub-tlv has a valid length before using it.
A sub-tlv has a 2-bytes type and a 2-bytes length, that includes the stlv header. For this reason the full length of a stlv must be over 4. This must be checked before converting the payload to a string by subtracting 4 to the length. Fix: #17459.
This commit is contained in:
parent
c0e70f67b3
commit
481b0ee06c
|
@ -1000,6 +1000,7 @@ static expert_field ei_ospf_lsa_constraint_missing = EI_INIT;
|
|||
static expert_field ei_ospf_lsa_bc_error = EI_INIT;
|
||||
static expert_field ei_ospf_lsa_unknown_type = EI_INIT;
|
||||
static expert_field ei_ospf_unknown_link_subtype = EI_INIT;
|
||||
static expert_field ei_ospf_stlv_length_invalid = EI_INIT;
|
||||
|
||||
static gint ospf_msg_type_to_filter (guint8 msg_type)
|
||||
{
|
||||
|
@ -2551,6 +2552,13 @@ dissect_ospf_lsa_mpls(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree
|
|||
while (stlv_offset < tlv_end_offset) {
|
||||
stlv_type = tvb_get_ntohs(tvb, stlv_offset);
|
||||
stlv_len = tvb_get_ntohs(tvb, stlv_offset + 2);
|
||||
|
||||
if (stlv_len < 4) {
|
||||
proto_tree_add_expert_format(tlv_tree, pinfo, &ei_ospf_stlv_length_invalid, tvb, stlv_offset + 2, 2,
|
||||
"Invalid sub-TLV lentgh: %u", stlv_len);
|
||||
break;
|
||||
}
|
||||
|
||||
stlv_name = val_to_str_const(stlv_type, oif_stlv_str, "Unknown sub-TLV");
|
||||
switch (stlv_type) {
|
||||
|
||||
|
@ -4758,6 +4766,7 @@ proto_register_ospf(void)
|
|||
{ &ei_ospf_lsa_bc_error, { "ospf.lsa.bc_error", PI_PROTOCOL, PI_WARN, "BC error", EXPFILL }},
|
||||
{ &ei_ospf_lsa_unknown_type, { "ospf.lsa.unknown_type", PI_PROTOCOL, PI_WARN, "Unknown LSA Type", EXPFILL }},
|
||||
{ &ei_ospf_unknown_link_subtype, { "ospf.unknown_link_subtype", PI_PROTOCOL, PI_WARN, "Unknown Link sub-TLV", EXPFILL }},
|
||||
{ &ei_ospf_stlv_length_invalid, { "ospf.stlv.invalid_length", PI_PROTOCOL, PI_WARN, "Invalid sub-TLV length", EXPFILL }},
|
||||
};
|
||||
|
||||
expert_module_t* expert_ospf;
|
||||
|
|
Loading…
Reference in New Issue