lib: Check prefix length from zebra is sensible

* zclient.c: prefix length on router-id and interface address add messages not sanity checked. fix. * */*_zebra.c: Prefix length on zebra route read was not checked, and clients use it to write to storage. An evil zebra could overflow client structures by sending overly long prefixlen. Prompted by discussions with: Donald Sharp <sharpd@cumulusnetworks.com>
author: Paul Jakma <paul.jakma@hpe.com> 2016-02-09 16:23:03 +0100
committer: Donald Sharp <sharpd@cumulusnetworks.com> 2016-09-23 18:12:17 +0200
commit: d91788284ed910bcf945c01ceb18334423cc352d (patch)
tree: 9f79d7d56a5e5d7abb7455d01c4c8b832e1dc243 /isisd/isis_zebra.c
parent: lib: force local MIN/MAX macros (diff)
download: frr-d91788284ed910bcf945c01ceb18334423cc352d.tar.xz
frr-d91788284ed910bcf945c01ceb18334423cc352d.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c
index 45728ad2c..a75e293f9 100644
--- a/isisd/isis_zebra.c
+++ b/isisd/isis_zebra.c
@@ -570,7 +570,7 @@ isis_zebra_read_ipv4 (int command, struct zclient *zclient,
   api.message = stream_getc (stream);
 
   p.family = AF_INET;
-  p.prefixlen = stream_getc (stream);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (stream));
   stream_get (&p.prefix, stream, PSIZE (p.prefixlen));
 
   if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))
author	Paul Jakma <paul.jakma@hpe.com>	2016-02-09 16:23:03 +0100
committer	Donald Sharp <sharpd@cumulusnetworks.com>	2016-09-23 18:12:17 +0200
commit	d91788284ed910bcf945c01ceb18334423cc352d (patch)
tree	9f79d7d56a5e5d7abb7455d01c4c8b832e1dc243 /isisd/isis_zebra.c
parent	lib: force local MIN/MAX macros (diff)
download	frr-d91788284ed910bcf945c01ceb18334423cc352d.tar.xz frr-d91788284ed910bcf945c01ceb18334423cc352d.zip