diff options
author | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-10-09 22:36:52 +0200 |
---|---|---|
committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-10-10 01:29:09 +0200 |
commit | 01b08f09c553b847ff740590eef6b2aedeafc952 (patch) | |
tree | dfbba1fff06397f9998977072f151f4fed796a9a /babeld | |
parent | Merge pull request #1312 from donaldsharp/snmp_compile (diff) | |
download | frr-01b08f09c553b847ff740590eef6b2aedeafc952.tar.xz frr-01b08f09c553b847ff740590eef6b2aedeafc952.zip |
babeld: Do not copy beyond end of data
The function really_send_update takes a 'const unsigned char *id'.
and is called with myid(a 8 byte array) and route->src->id(an 8
byte array), but we copy these pointers into
babel_ifp->buffered_id which is a 16 byte array.
Adjust the size of buffered_id to be 8 bytes and fix the copy
to only copy the 8 bytes.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'babeld')
-rw-r--r-- | babeld/babel_interface.h | 2 | ||||
-rw-r--r-- | babeld/message.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/babeld/babel_interface.h b/babeld/babel_interface.h index 64509afa1..501177e60 100644 --- a/babeld/babel_interface.h +++ b/babeld/babel_interface.h @@ -50,7 +50,7 @@ struct babel_interface { char have_buffered_id; char have_buffered_nh; char have_buffered_prefix; - unsigned char buffered_id[16]; + unsigned char buffered_id[8]; unsigned char buffered_nh[4]; unsigned char buffered_prefix[16]; unsigned char *sendbuf; diff --git a/babeld/message.c b/babeld/message.c index e31d5de5d..142770e86 100644 --- a/babeld/message.c +++ b/babeld/message.c @@ -1080,7 +1080,7 @@ really_send_update(struct interface *ifp, accumulate_bytes(ifp, id, 8); end_message(ifp, MESSAGE_ROUTER_ID, 10); } - memcpy(babel_ifp->buffered_id, id, 16); + memcpy(babel_ifp->buffered_id, id, sizeof(babel_ifp->buffered_id)); babel_ifp->have_buffered_id = 1; } |