From: Filip Varga <filip.varga@pantheon.tech>
Date: Mon, 5 Nov 2018 08:41:56 +0000 (+0100)
Subject: VPP-1481: fixed tlv length checking & added tests
X-Git-Tag: v19.04-rc0~455
X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commitdiff_plain;h=3206bb15aa65f6b4bd933844cffc26967aab6ed6

VPP-1481: fixed tlv length checking & added tests

Change-Id: I9375bca5f5136c84d801dbd635929bb1c37d75b4
Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
---

diff --git a/src/plugins/cdp/cdp_input.c b/src/plugins/cdp/cdp_input.c
index dd3619cb8ac..a27113d18eb 100644
--- a/src/plugins/cdp/cdp_input.c
+++ b/src/plugins/cdp/cdp_input.c
@@ -93,8 +93,11 @@ format_text_tlv (u8 * s, va_list * va)
 
   s = format (s, "%s(%d): ", h->name, t->t);
 
-  for (i = 0; i < (t->l - sizeof (*t)); i++)
-    vec_add1 (s, t->v[i]);
+  if (t->l >= 4)
+    {
+      for (i = 0; i < (t->l - sizeof (*t)); i++)
+	vec_add1 (s, t->v[i]);
+    }
 
   vec_add1 (s, '\n');
   return s;
@@ -284,9 +287,14 @@ cdp_packet_scan (cdp_main_t * cm, cdp_neighbor_t * n)
       tlv->l = ntohs (tlv->l);
 
       /* tlv length includes t, l and v */
+
+      if (tlv->l < 4)
+	return CDP_ERROR_BAD_TLV;
+
       cur += tlv->l;
       if ((cur - 1) > end)
 	return CDP_ERROR_BAD_TLV;
+
       /*
        * Only process known TLVs. In practice, certain
        * devices send tlv->t = 0xFF, perhaps as an EOF of sorts.
diff --git a/test/test_cdp.py b/test/test_cdp.py
index 3eec4a73244..ac42bf084a2 100644
--- a/test/test_cdp.py
+++ b/test/test_cdp.py
@@ -91,9 +91,15 @@ class TestCDP(VppTestCase):
         self.assert_equal(system, self.device_id,
                           "CDP received invalid device id")
 
-    def test_send_cdp_bad_packet(self):
+    def test_cdp_underflow_tlv(self):
+        self.send_bad_packet(3, ".")
+
+    def test_cdp_overflow_tlv(self):
+        self.send_bad_packet(8, ".")
+
+    def send_bad_packet(self, l, v):
         self.logger.info(self.vapi.cli("cdp enable"))
-        self.send_packet(self.create_bad_packet(8, "."))
+        self.send_packet(self.create_bad_packet(l, v))
 
         errors = list(self.show_errors())
         self.assertTrue(errors)
@@ -102,7 +108,7 @@ class TestCDP(VppTestCase):
         for count, node, reason in errors:
             if (node == u'cdp-input' and
                     reason == u'cdp packets with bad TLVs' and
-                    int(count) == 1):
+                    int(count) >= 1):
 
                 expected_errors = True
                 break