[patch] Add contextual out-of-bound checks in RTR Prefix PDU handler
Job Snijders
job at fastly.com
Fri Sep 17 20:39:42 CEST 2021
Apologies for the noise... perhaps three attempts is a charm? :-)
The "Prefix Length" can also contextually overflow, the below changeset
also checks that specific element.
I noticed that having RPKI_CS_ERROR_FATAL fall through to
RPKI_CS_ERROR_TRANSPORT did not result in the desired behavior (which is
to flush all data related to the corrupted RPKI cache), so I left that
change out. This means that a potential for a 'reconnect storm' remains.
Adding a retry sleep timer before scheduling the next connect attempt if
RPKI_CS_ERROR_FATAL happened should probably be investigated separately.
Kind regards,
Job
diff --git proto/rpki/packets.c proto/rpki/packets.c
index dd11f997..fa94846e 100644
--- proto/rpki/packets.c
+++ proto/rpki/packets.c
@@ -737,6 +737,30 @@ rpki_handle_prefix_pdu(struct rpki_cache *cache, const struct pdu_header *pdu)
net_addr_union addr = {};
rpki_prefix_pdu_2_net_addr(pdu, &addr);
+ if (type == IPV4_PREFIX) {
+ if (addr.roa4.max_pxlen < addr.roa4.pxlen
+ || addr.roa4.max_pxlen > IP4_MAX_PREFIX_LENGTH
+ || addr.roa4.pxlen > IP4_MAX_PREFIX_LENGTH) {
+ RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: invalid Max Length");
+ byte tmp[pdu->len];
+ const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+ rpki_send_error_pdu(cache, CORRUPT_DATA, pdu->len, tmp, "Corrupted PDU: invalid pxlen or max_pxlen");
+ rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+ return RPKI_ERROR;
+ }
+ } else {
+ if (addr.roa6.max_pxlen < addr.roa6.pxlen
+ || addr.roa6.max_pxlen > IP6_MAX_PREFIX_LENGTH
+ || addr.roa6.pxlen > IP6_MAX_PREFIX_LENGTH) {
+ RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: invalid Max Length");
+ byte tmp[pdu->len];
+ const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+ rpki_send_error_pdu(cache, CORRUPT_DATA, pdu->len, tmp, "Corrupted PDU: invalid pxlen or max_pxlen");
+ rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+ return RPKI_ERROR;
+ }
+ }
+
if (cf->ignore_max_length)
{
if (type == IPV4_PREFIX)
More information about the Bird-users
mailing list