Skip to content

pimd: fix stack overflow and IGMPv3 fragmentation in group_retransmit_sources (backport #21047) #1472

pimd: fix stack overflow and IGMPv3 fragmentation in group_retransmit_sources (backport #21047)

pimd: fix stack overflow and IGMPv3 fragmentation in group_retransmit_sources (backport #21047) #1472

Triggered via pull request July 8, 2026 04:10
Status Failure
Total duration 33s
Artifacts

commitlint.yml

on: pull_request
Check if the commits meet the requirements of the guidelines
31s
Check if the commits meet the requirements of the guidelines
Fit to window
Zoom out
Zoom in

Annotations

1 error and 2 warnings
Check if the commits meet the requirements of the guidelines
You have commit messages with errors ⧗ input: pimd: fix stack overflow and IGMPv3 fragmentation in group_retransmit_sources While testing IGMPv3 with a large number of sources (5000+), pimd consistently crashes with a stack buffer overflow. The issue stems from group_retransmit_sources() using fixed-size stack buffers (PIM_IGMP_BUFSIZE_WRITE) without sufficient bounds checking before copying source addresses. The crash log: 2026/03/08 00:29:33 PIM: group_retransmit_sources: group 232.1.1.12 on enp0s8: s_flag=0 unable to fit 5000 sources into buf_size=20000 (max_sources=4997) *** stack smashing detected ***: terminated PIM: Received signal 6; aborting... PIM: __stack_chk_fail+0x14 PIM: group_retransmit_sources+0x346 PIM: source_query_send_by_flag+0x9d PIM: igmp_v3_recv_report+0x4c9 PIM: pim_igmp_packet+0x45d PIM: pim_mroute_msg+0x1db PIM: mroute_read+0xd0 PIM: event_call+0xa9 PIM: frr_run+0xb4 PIM: main+0xf8 This patch resolves the issue by: 1. Replacing stack-based buffers with dynamic heap allocation using XMALLOC(MTYPE_PIM_IGMP_PACKET) to ensure safety. 2. Implementing proper IGMPv3 fragmentation logic. The code now breaks down the source list into multiple IGMP messages that fit the MTU. 3. Introducing igmp_get_max_payload() to calculate safe buffer limits based on interface MTU, respecting the 576-byte fallback limit. Fixes: CWE-121 (Stack-based Buffer Overflow) Impact: Potential Remote Denial of Service (DoS) Signed-off-by: Vitaliy Guschin <guschin108@gmail.com> (cherry picked from commit 50e1a4be63b4e92d342f7a28885cae47206d15d0) # Conflicts: # pimd/pim_igmpv3.c ✖ header must not be longer than 72 characters, current length is 77 [header-max-length] ✖ found 1 problems, 0 warnings ⓘ Get help: https://github.com/conventional-changelog/commitlint/#what-is-commitlint
Workflow syntax warning: .github/workflows/commitlint.yml#L14
.github/workflows/commitlint.yml (Line: 14, Col: 9): Conditional expression contains literal text outside replacement tokens. This will cause the expression to always evaluate to truthy. Did you mean to put the entire expression inside ${{ }}?
Check if the commits meet the requirements of the guidelines
Node.js 20 is deprecated. The following actions target Node.js 20 but are being forced to run on Node.js 24: actions/checkout@v3. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/