static int
cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n)
{
- u8 *cur = n->last_rx_pkt;
+ u8 *end, *cur = n->last_rx_pkt;
cdp_hdr_t *h;
cdp_tlv_t *tlv;
cdp_error_t e = CDP_ERROR_NONE;
if (e)
return e;
+ // there are no tlvs
+ if (vec_len (n->last_rx_pkt) <= 0)
+ return CDP_ERROR_BAD_TLV;
+
cur = (u8 *) (h + 1);
+ end = n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1;
- while (cur < n->last_rx_pkt + vec_len (n->last_rx_pkt) - 1)
+ // look ahead 4 bytes (u16 tlv->t + u16 tlv->l)
+ while (cur + 3 <= end)
{
tlv = (cdp_tlv_t *) cur;
tlv->t = ntohs (tlv->t);
tlv->l = ntohs (tlv->l);
- if (tlv->t >= ARRAY_LEN (tlv_handlers))
- return CDP_ERROR_BAD_TLV;
- handler = &tlv_handlers[tlv->t];
- fp = handler->process;
- e = (*fp) (cm, n, tlv);
- if (e)
- return e;
- /* tlv length includes (t, l) */
+
+ /* tlv length includes t, l and v */
cur += tlv->l;
+ if ((cur - 1) > end)
+ return CDP_ERROR_BAD_TLV;
+ /*
+ * Only process known TLVs. In practice, certain
+ * devices send tlv->t = 0xFF, perhaps as an EOF of sorts.
+ */
+ if (tlv->t < ARRAY_LEN (tlv_handlers))
+ {
+ handler = &tlv_handlers[tlv->t];
+ fp = handler->process;
+ e = (*fp) (cm, n, tlv);
+ if (e)
+ return e;
+ }
}
+ // did not process all tlvs or none tlv processed
+ if ((cur - 1) != end)
+ return CDP_ERROR_BAD_TLV;
+
return CDP_ERROR_NONE;
}
if (p == 0)
{
pool_get (cm->neighbors, n);
- memset (n, 0, sizeof (*n));
+ clib_memset (n, 0, sizeof (*n));
n->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX];
n->packet_template_index = (u8) ~ 0;
hash_set (cm->neighbor_by_sw_if_index, n->sw_if_index,
Code Review / vpp.git / blobdiff