Validate MAC size before accessing MAC in bridge table configs

Currently when Agent sends a bridge table add/delete/dump request it sends MAC address in "route" sandesh structure. Vrouter is accessing the rtr_mac field from sandesh decoded structure without validating if rtr_mac is passed by Agent or not. If Agent does not send this field, Vrouter crashes as we are accessing NULL pointer. As a fix, the mac size is validated before accessing the mac. Change-Id: I89f03e0f5a95b051361f3b242bbeef891fe93144 closes-bug: #1623896
Juniper · Sep 15, 2016 · 0d4cbb1 · 0d4cbb1
1 parent 3bfe603
commit 0d4cbb1
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/dp-core/vr_bridge.c b/dp-core/vr_bridge.c
@@ -145,6 +145,9 @@ bridge_table_add(struct vr_rtable * _unused, struct vr_route_req *rt)
     if (!vn_rtable)
         return -EINVAL;
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     if (IS_MAC_ZERO(rt->rtr_req.rtr_mac))
         return -EINVAL;
 
@@ -195,6 +198,9 @@ bridge_table_delete(struct vr_rtable * _unused, struct vr_route_req *rt)
     if (!vn_rtable)
         return -EINVAL;
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     VR_MAC_COPY(key.be_mac, rt->rtr_req.rtr_mac);
     key.be_vrf_id = rt->rtr_req.rtr_vrf_id;
 
@@ -371,6 +377,9 @@ bridge_table_dump(struct vr_rtable * __unsued, struct vr_route_req *rt)
         goto generate_response;
     }
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     mac = (char *)(((vr_route_req *)(dumper->dump_req))->rtr_mac);
     if (!mac) {
         ret = -EINVAL;