diff options
| author | Paul Jakma <paul.jakma@hpe.com> | 2016-02-09 16:23:03 +0100 |
|---|---|---|
| committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2016-09-23 18:12:17 +0200 |
| commit | d91788284ed910bcf945c01ceb18334423cc352d (patch) | |
| tree | 9f79d7d56a5e5d7abb7455d01c4c8b832e1dc243 /bgpd | |
| parent | lib: force local MIN/MAX macros (diff) | |
| download | frr-d91788284ed910bcf945c01ceb18334423cc352d.tar.xz frr-d91788284ed910bcf945c01ceb18334423cc352d.zip | |
lib: Check prefix length from zebra is sensible
* zclient.c: prefix length on router-id and interface address add
messages not sanity checked. fix.
* */*_zebra.c: Prefix length on zebra route read was not checked, and
clients use it to write to storage. An evil zebra could overflow
client structures by sending overly long prefixlen.
Prompted by discussions with:
Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'bgpd')
| -rw-r--r-- | bgpd/bgp_zebra.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c index 15db32155..0f5c3ce7a 100644 --- a/bgpd/bgp_zebra.c +++ b/bgpd/bgp_zebra.c @@ -607,7 +607,7 @@ zebra_read_ipv4 (int command, struct zclient *zclient, zebra_size_t length, /* IPv4 prefix. */ memset (&p, 0, sizeof (struct prefix_ipv4)); p.family = AF_INET; - p.prefixlen = stream_getc (s); + p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s)); stream_get (&p.prefix, s, PSIZE (p.prefixlen)); /* Nexthop, ifindex, distance, metric. */ @@ -722,7 +722,7 @@ zebra_read_ipv6 (int command, struct zclient *zclient, zebra_size_t length, /* IPv6 prefix. */ memset (&p, 0, sizeof (struct prefix_ipv6)); p.family = AF_INET6; - p.prefixlen = stream_getc (s); + p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s)); stream_get (&p.prefix, s, PSIZE (p.prefixlen)); /* Nexthop, ifindex, distance, metric. */ |