bgpd: Fix buffer/count inconsistency in SRv6 End.X SID TLV parsers#21902
bgpd: Fix buffer/count inconsistency in SRv6 End.X SID TLV parsers#21902cscarpitta wants to merge 1 commit into
Conversation
When parsing SRv6 End.X SID TLVs, each new entry is added to a dynamically grown array. The array is resized first, and the new entry is filled in. The parser then processes optional sub-TLVs and increments the entry count only after sub-TLV parsing succeeds. If sub-TLV parsing fails, the function returns an error before the count is incremented, leaving the array one element larger than the count indicates. Code that later copies the array allocates the destination based on the count, so it can allocate too little memory and miss the last entry. Fix by incrementing the count and marking the attribute present immediately after filling in the entry, before parsing sub-TLVs. If sub-TLV parsing then fails, the count still matches the array size, and the error cleanup path frees the entire array safely. This affects parse_srv6_endx_sid(), parse_isis_srv6_lan_endx_sid(), and parse_ospf_srv6_lan_endx_sid(). Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
Greptile SummaryThis PR fixes a buffer/count inconsistency in three SRv6 End.X SID TLV parser functions where the array was grown by
Confidence Score: 5/5This is a targeted, correct fix to a real memory-accounting bug; no new logic is introduced and the change is safe to merge. All three affected functions receive the same mechanical reordering of two lines — no new allocations, loops, or conditional paths are added. The copy path in bgp_ls_attr_dup and the iteration paths all use the count correctly after this change, and the free path was never count-dependent so it was unaffected before and after. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[parse_srv6_endx_sid / parse_isis_srv6_lan_endx_sid / parse_ospf_srv6_lan_endx_sid] --> B{length check}
B -- too short --> C[return -1]
B -- ok --> D{count >= MAX?}
D -- yes --> E[skip TLV, return 0]
D -- no --> F[XREALLOC array to count+1]
F --> G[Fill entry fields from stream]
G --> H["count++ / SET_FLAG moved here"]
H --> I{has sub-TLVs?}
I -- no --> J[return 0]
I -- yes --> K[parse_endx_sub_tlvs]
K -- success --> J
K -- fail --> L["return -1 (count already correct)"]
Reviews (1): Last reviewed commit: "bgpd: Fix buffer/count inconsistency in ..." | Re-trigger Greptile |
| stream_get(&entry->sid, s, IPV6_MAX_BYTELEN); | ||
|
|
||
| attr->srv6_endx_sid_count++; | ||
| SET_FLAG(attr->present_tlvs, BGP_LS_ATTR_SRV6_ENDX_SID_BIT); |
There was a problem hiding this comment.
Should we decrement/UNSET on error?
2 participants
When parsing SRv6 End.X SID TLVs, each new entry is added to a dynamically grown array. The array is resized first, and the new entry is filled in. The parser then processes optional sub-TLVs and increments the entry count only after sub-TLV parsing succeeds. If sub-TLV parsing fails, the function returns an error before the count is incremented, leaving the array one element larger than the count indicates.
Code that later copies the array allocates the destination based on the count, so it can allocate too little memory and miss the last entry.
Fix by incrementing the count and marking the attribute present immediately after filling in the entry, before parsing sub-TLVs. If sub-TLV parsing then fails, the count still matches the array size, and the error cleanup path frees the entire array safely.
This affects
parse_srv6_endx_sid(),parse_isis_srv6_lan_endx_sid(), andparse_ospf_srv6_lan_endx_sid().