isisd: fix rcap tlv double-free crash #16809

A double-free crash happens when a subTLV of the "Router Capability" TLV is not readable and a previous "Router Capability" TLV was read. rcap was supposed to be freed later by isis_free_tlvs() -> free_tlv_router_cap(). In 78774bb ("isisd: add isis flex-algo lsp advertisement"), this was not the case because rcap was not saved to tlvs->router_cap when the function returned early because of a subTLV length issue. Always set tlvs->router_cap to free the memory. Note that this patch has the consequence that in case of subTLV error, the previously read "Router Capability" subTLVs are kept in memory. Fixes: 49efc80 ("isisd: Ensure rcap is freed in error case") Fixes: 78774bb ("isisd: add isis flex-algo lsp advertisement") Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Louis Scalbert <[email protected]>

Since the previous commit, if a router capability subTLV is not readable, the previously read subTLVs are kept. Update of the ISIS fuzz test. > $ wuschl rebuild tests/isisd/test_fuzz_isis_tlv > $ gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h > $ ./test_fuzz_isis_tlv 2>/dev/null | grep failed > Test 139 failed, output differs. > Test 150 failed, output differs. > 2 of 405 tests failed. > > $ ./test_fuzz_isis_tlv 139 2>/dev/null > Test 139 failed, output differs. > Expected output: > Unpack log: > Unpacking 564 bytes of TLVs... > Unpacking TLV... > Found TLV of type 193 and len 13. > Skipping unknown TLV 193 (13 bytes) > Unpacking TLV... > Found TLV of type 0 and len 0. > Skipping unknown TLV 0 (0 bytes) > Unpacking TLV... > Found TLV of type 0 and len 0. > Skipping unknown TLV 0 (0 bytes) > Unpacking TLV... > Found TLV of type 242 and len 12. > Unpacking Router Capability TLV... > WARNING: Router Capability subTLV length too large compared to expected size > Unpacked TLVs: > Received output: > Unpack log: > Unpacking 564 bytes of TLVs... > Unpacking TLV... > Found TLV of type 193 and len 13. > Skipping unknown TLV 193 (13 bytes) > Unpacking TLV... > Found TLV of type 0 and len 0. > Skipping unknown TLV 0 (0 bytes) > Unpacking TLV... > Found TLV of type 0 and len 0. > Skipping unknown TLV 0 (0 bytes) > Unpacking TLV... > Found TLV of type 242 and len 12. > Unpacking Router Capability TLV... > WARNING: Router Capability subTLV length too large compared to expected size > Unpacked TLVs: > Router Capability: 253.212.128.242 , D:1, S:1 > > $ ./test_fuzz_isis_tlv 150 2>/dev/null > Test 150 failed, output differs. > Expected output: > Unpack log: > Unpacking 403 bytes of TLVs... > Unpacking TLV... > Found TLV of type 129 and len 13. > Unpacking Protocols Supported TLV... > Protocols Supported: 73, 16, 255, 255, 255, 101, 10, 11, 11, 11, 11, 11, 11 > Unpacking TLV... > Found TLV of type 11 and len 11. > Skipping unknown TLV 11 (11 bytes) > Unpacking TLV... > Found TLV of type 242 and len 12. > Unpacking Router Capability TLV... > WARNING: Router Capability subTLV length too large compared to expected size > Unpacked TLVs: > Protocols Supported: 73, 16, 255, 255, 255, 101, 10, 11, 11, 11, 11, 11, 11 > Received output: > Unpack log: > Unpacking 403 bytes of TLVs... > Unpacking TLV... > Found TLV of type 129 and len 13. > Unpacking Protocols Supported TLV... > Protocols Supported: 73, 16, 255, 255, 255, 101, 10, 11, 11, 11, 11, 11, 11 > Unpacking TLV... > Found TLV of type 11 and len 11. > Skipping unknown TLV 11 (11 bytes) > Unpacking TLV... > Found TLV of type 242 and len 12. > Unpacking Router Capability TLV... > WARNING: Router Capability subTLV length too large compared to expected size > Unpacked TLVs: > Protocols Supported: 73, 16, 255, 255, 255, 101, 10, 11, 11, 11, 11, 11, 11 > Router Capability: 253.212.128.242 , D:1, S:1 Link: https://pypi.org/project/wuschl/ Signed-off-by: Louis Scalbert <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

isisd: fix rcap tlv double-free crash #16809

isisd: fix rcap tlv double-free crash #16809

Commits on Sep 16, 2024