bgpd: Fix stack overflow when debug printing label information

ton31337 · ton31337 · commit 499504b8ca3b · 2026-05-24T20:05:41.000+03:00
==11==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8ec03890b2 WRITE of size 5 at 0x7f8ec03890b2 thread T0 #0 vsnprintf (sanitizer_common_interceptors.inc:1652) #1 snprintf (sanitizer_common_interceptors.inc:1723) #2 mpls_labels2str (bgpd/bgp_label.c:699) #3 bgp_debug_rdpfxpath2str (bgpd/bgp_debug.c:2967) #4 subgroup_update_packet (bgpd/bgp_updgrp_packet.c:880) #5 bgp_generate_updgrp_packets (bgpd/bgp_packet.c:504) [144, 174) 'tag_buf' (line 2918) <== Memory access at offset 178 overflows this variable [208, 238) 'pathid_buf' (line 2928) Reported-by: Qifan Zhang, Palo Alto Networks Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
@@ -2951,7 +2951,7 @@ const char *bgp_debug_rdpfxpath2str(afi_t afi, safi_t safi,
 				    struct bgp_route_evpn *overlay_index,
 				    char *str, int size)
 {
-	char tag_buf[30];
+	char tag_buf[sizeof(" label ") + BGP_MAX_LABEL_DIGITS];
 	char overlay_index_buf[INET6_ADDRSTRLEN + 14];
 	const struct prefix_evpn *evp;
 	int len = 0;
diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
@@ -681,24 +681,30 @@ char *mpls_labels2str(mpls_label_t *labels, uint8_t num_labels, const char *pref
 		      int size)
 {
 	uint32_t label_value;
-	uint32_t len = 0;
+	int len = 0;
+	int ret;
 	uint8_t i;
 
+	if (size <= 0)
+		return buf;
+
 	buf[0] = '\0';
 	if (!num_labels)
 		return buf;
 
 	if (prefix) {
-		strlcat(buf + len, prefix, size - len);
+		strlcat(buf, prefix, size);
 		len = strlen(buf);
+		if (len >= size - 1)
+			return buf;
 	}
 
-	label_value = decode_label(&labels[0]);
-	len += snprintf(buf + len, size - len, "%u", label_value);
-
-	for (i = 1; i < num_labels; i++) {
+	for (i = 0; i < num_labels; i++) {
 		label_value = decode_label(&labels[i]);
-		len += snprintf(buf + len, size - len, "/%u", label_value);
+		ret = snprintf(buf + len, size - len, "%s%u", i == 0 ? "" : "/", label_value);
+		if (ret < 0 || ret >= size - len)
+			return buf;
+		len += ret;
 	}
 
 	return buf;
diff --git a/bgpd/bgp_label.h b/bgpd/bgp_label.h
@@ -23,6 +23,7 @@ struct peer;
  * It is impossible to pass more than 10 labels by BGP-LU
  */
 #define BGP_MAX_LABELS 10
+#define BGP_MAX_LABEL_DIGITS (9 * BGP_MAX_LABELS)
 
 /* MPLS label(s) - VNI(s) for EVPN-VxLAN  */
 struct bgp_labels {
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
@@ -12436,7 +12436,7 @@ void route_vty_out_detail(struct vty *vty, struct bgp *bgp, struct bgp_dest *bn,
 			  struct attr *pattr, uint16_t show_opts)
 {
 	char buf[INET6_ADDRSTRLEN];
-	char labels_buf[9 * BGP_MAX_LABELS]; /* 8 per label + / or \0 for each */
+	char labels_buf[BGP_MAX_LABEL_DIGITS]; /* 8 per label + / or \0 for each */
 	char vni_buf[30] = {};
 	struct attr *attr = pattr ? pattr : path->attr;
 	time_t tbuf;
diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c
@@ -1545,7 +1545,7 @@ static void bgp_debug_zebra_nh(struct zapi_route *api)
 	char eth_buf[ETHER_ADDR_STRLEN + 7] = { '\0' };
 	char buf1[ETHER_ADDR_STRLEN];
 	/* strlen("label ") + 8 chars per label + '/' or '\0' for each label */
-	char label_buf[6 + 9 * BGP_MAX_LABELS];
+	char label_buf[6 + BGP_MAX_LABEL_DIGITS];
 	char sid_buf[20];
 	char segs_buf[256];
 	struct zapi_nexthop *api_nh;

Original file line number	Diff line number	Diff line change
`@@ -2951,7 +2951,7 @@ const char *bgp_debug_rdpfxpath2str(afi_t afi, safi_t safi,`
`2951`	`2951`	`struct bgp_route_evpn *overlay_index,`
`2952`	`2952`	`char *str, int size)`
`2953`	`2953`	`{`
`2954`		`- char tag_buf[30];`
	`2954`	`+ char tag_buf[sizeof(" label ") + BGP_MAX_LABEL_DIGITS];`
`2955`	`2955`	`char overlay_index_buf[INET6_ADDRSTRLEN + 14];`
`2956`	`2956`	`const struct prefix_evpn *evp;`
`2957`	`2957`	`int len = 0;`
Original file line number	Diff line number	Diff line change
`@@ -12436,7 +12436,7 @@ void route_vty_out_detail(struct vty vty, struct bgp bgp, struct bgp_dest *bn,`
`12436`	`12436`	`struct attr *pattr, uint16_t show_opts)`
`12437`	`12437`	`{`
`12438`	`12438`	`char buf[INET6_ADDRSTRLEN];`
`12439`		`- char labels_buf[9 * BGP_MAX_LABELS]; /* 8 per label + / or \0 for each */`
	`12439`	`+ char labels_buf[BGP_MAX_LABEL_DIGITS]; /* 8 per label + / or \0 for each */`
`12440`	`12440`	`char vni_buf[30] = {};`
`12441`	`12441`	`struct attr *attr = pattr ? pattr : path->attr;`
`12442`	`12442`	`time_t tbuf;`