[patch] Add contextual out-of-bound checks in RTR Prefix PDU handler

Job Snijders job at fastly.com
Sun Nov 14 19:26:44 CET 2021 

Ping :-)

On Fri, 17 Sep 2021 at 21:34, Job Snijders <job at fastly.com> wrote:

> Hi,
>
> I've aligned the text that is locally logged with the encapsulated error
> message sent to the broken RPKI cache. Also fixed a compiler warning
> that snuck into my previous patch: now passing the correct pointer
> (hton_pdu) to rpki_send_error_pdu().
>
> Kind regards,
>
> Job
>
> diff --git proto/rpki/packets.c proto/rpki/packets.c
> index dd11f997..7a1eeb0f 100644
> --- proto/rpki/packets.c
> +++ proto/rpki/packets.c
> @@ -737,6 +737,30 @@ rpki_handle_prefix_pdu(struct rpki_cache *cache,
> const struct pdu_header *pdu)
>    net_addr_union addr = {};
>    rpki_prefix_pdu_2_net_addr(pdu, &addr);
>
> +  if (type == IPV4_PREFIX) {
> +    if (addr.roa4.max_pxlen < addr.roa4.pxlen
> +        || addr.roa4.max_pxlen > IP4_MAX_PREFIX_LENGTH
> +        || addr.roa4.pxlen > IP4_MAX_PREFIX_LENGTH) {
> +      RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache
> server: invalid pxlen or max_pxlen");
> +      byte tmp[pdu->len];
> +      const struct pdu_header *hton_pdu =
> rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
> +      rpki_send_error_pdu(cache, CORRUPT_DATA, pdu->len, hton_pdu,
> "Corrupted PDU: invalid pxlen or max_pxlen");
> +      rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
> +      return RPKI_ERROR;
> +    }
> +  } else {
> +    if (addr.roa6.max_pxlen < addr.roa6.pxlen
> +        || addr.roa6.max_pxlen > IP6_MAX_PREFIX_LENGTH
> +        || addr.roa6.pxlen > IP6_MAX_PREFIX_LENGTH) {
> +      RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache
> server: invalid pxlen or max_pxlen");
> +      byte tmp[pdu->len];
> +      const struct pdu_header *hton_pdu =
> rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
> +      rpki_send_error_pdu(cache, CORRUPT_DATA, pdu->len, hton_pdu,
> "Corrupted PDU: invalid pxlen or max_pxlen");
> +      rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
> +      return RPKI_ERROR;
> +    }
> +  }
> +
>    if (cf->ignore_max_length)
>    {
>      if (type == IPV4_PREFIX)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20211114/58278995/attachment.htm>

More information about the Bird-users mailing list