summaryrefslogtreecommitdiffstats
path: root/babeld
diff options
context:
space:
mode:
authorDonald Sharp <sharpd@cumulusnetworks.com>2017-10-09 22:36:52 +0200
committerDonald Sharp <sharpd@cumulusnetworks.com>2017-10-10 01:29:09 +0200
commit01b08f09c553b847ff740590eef6b2aedeafc952 (patch)
treedfbba1fff06397f9998977072f151f4fed796a9a /babeld
parentMerge pull request #1312 from donaldsharp/snmp_compile (diff)
downloadfrr-01b08f09c553b847ff740590eef6b2aedeafc952.tar.xz
frr-01b08f09c553b847ff740590eef6b2aedeafc952.zip
babeld: Do not copy beyond end of data
The function really_send_update takes a 'const unsigned char *id'. and is called with myid(a 8 byte array) and route->src->id(an 8 byte array), but we copy these pointers into babel_ifp->buffered_id which is a 16 byte array. Adjust the size of buffered_id to be 8 bytes and fix the copy to only copy the 8 bytes. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'babeld')
-rw-r--r--babeld/babel_interface.h2
-rw-r--r--babeld/message.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/babeld/babel_interface.h b/babeld/babel_interface.h
index 64509afa1..501177e60 100644
--- a/babeld/babel_interface.h
+++ b/babeld/babel_interface.h
@@ -50,7 +50,7 @@ struct babel_interface {
char have_buffered_id;
char have_buffered_nh;
char have_buffered_prefix;
- unsigned char buffered_id[16];
+ unsigned char buffered_id[8];
unsigned char buffered_nh[4];
unsigned char buffered_prefix[16];
unsigned char *sendbuf;
diff --git a/babeld/message.c b/babeld/message.c
index e31d5de5d..142770e86 100644
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -1080,7 +1080,7 @@ really_send_update(struct interface *ifp,
accumulate_bytes(ifp, id, 8);
end_message(ifp, MESSAGE_ROUTER_ID, 10);
}
- memcpy(babel_ifp->buffered_id, id, 16);
+ memcpy(babel_ifp->buffered_id, id, sizeof(babel_ifp->buffered_id));
babel_ifp->have_buffered_id = 1;
}