zebra: Prevent zebra vxlan remote macip del buffer overflow

=================================================================
==13611==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9e5c8694 at pc 0x0000004d18ac bp 0x7ffe9e5c8330 sp 0x7ffe9e5c7ae0
WRITE of size 17 at 0x7ffe9e5c8694 thread T0
    #0 0x4d18ab in __asan_memcpy (/usr/lib/frr/zebra+0x4d18ab)
    #1 0x7f16f04bd97f in stream_get2 /home/qlyoung/frr/lib/stream.c:277:2
    #2 0x6410ec in zebra_vxlan_remote_macip_del /home/qlyoung/frr/zebra/zebra_vxlan.c:7718:4
    #3 0x68fa98 in zserv_handle_commands /home/qlyoung/frr/zebra/zapi_msg.c:2611:3
    #4 0x556add in main /home/qlyoung/frr/zebra/main.c:309:2
    #5 0x7f16eea3bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x431249 in _start (/usr/lib/frr/zebra+0x431249)

This decode is the result of a buffer overflow because we are
not checking ipa_len.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

1 files changed, 13 insertions, 2 deletions

diff --git a/zebra/zebra_vxlan.c b/zebra/zebra_vxlan.c
index 086b13d67..55baa8e68 100644
--- a/zebra/zebra_vxlan.c
+++ b/zebra/zebra_vxlan.c
@@ -7712,9 +7712,20 @@ void zebra_vxlan_remote_macip_del(ZAPI_HANDLER_ARGS)
 		STREAM_GETL(s, vni);
 		STREAM_GET(&macaddr.octet, s, ETH_ALEN);
 		STREAM_GETL(s, ipa_len);
+
 		if (ipa_len) {
-			ip.ipa_type = (ipa_len == IPV4_MAX_BYTELEN) ? IPADDR_V4
-								    : IPADDR_V6;
+			if (ipa_len == IPV4_MAX_BYTELEN)
+				ip.ipa_type = IPADDR_V4;
+			else if (ipa_len == IPV6_MAX_BYTELEN)
+				ip.ipa_type = IPADDR_V6;
+			else {
+				if (IS_ZEBRA_DEBUG_VXLAN)
+					zlog_debug("ipa_len *must* be %d or %d bytes in length not %d",
+						   IPV4_MAX_BYTELEN,
+						   IPV6_MAX_BYTELEN, ipa_len);
+				goto stream_failure;
+			}
+
 			STREAM_GET(&ip.ip.addr, s, ipa_len);
 		}
 		l += 4 + ETH_ALEN + 4 + ipa_len;