summaryrefslogtreecommitdiffstats
path: root/ospf6d/ospf6_zebra.c
diff options
context:
space:
mode:
authorDonald Sharp <sharpd@cumulusnetworks.com>2017-03-01 13:45:21 +0100
committerDonald Sharp <sharpd@cumulusnetworks.com>2017-03-01 14:40:46 +0100
commitb95e5c8c696244bcba9e61e8f3a7edfe597808f5 (patch)
tree3918a7a3690f1f9f8853b7356623e96dcb28ca1a /ospf6d/ospf6_zebra.c
parentpimd: Fix use of value after free (diff)
downloadfrr-b95e5c8c696244bcba9e61e8f3a7edfe597808f5.tar.xz
frr-b95e5c8c696244bcba9e61e8f3a7edfe597808f5.zip
ospf6d: Fix write beyond data structure
Converting a 'struct prefix6' to a 'struct prefix' and then doing a memcpy of the contents writes beyond the end of the data structure. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to '')
-rw-r--r--ospf6d/ospf6_zebra.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/ospf6d/ospf6_zebra.c b/ospf6d/ospf6_zebra.c
index 76bee9cf5..1904623e7 100644
--- a/ospf6d/ospf6_zebra.c
+++ b/ospf6d/ospf6_zebra.c
@@ -217,7 +217,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
struct stream *s;
struct zapi_ipv6 api;
unsigned long ifindex;
- struct prefix_ipv6 p, src_p;
+ struct prefix p, src_p;
struct in6_addr *nexthop;
if (ospf6 == NULL)
@@ -235,17 +235,17 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
api.message = stream_getc (s);
/* IPv6 prefix. */
- memset (&p, 0, sizeof (struct prefix_ipv6));
+ memset (&p, 0, sizeof (struct prefix));
p.family = AF_INET6;
p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
- stream_get (&p.prefix, s, PSIZE (p.prefixlen));
+ stream_get (&p.u.prefix6, s, PSIZE (p.prefixlen));
- memset (&src_p, 0, sizeof (struct prefix_ipv6));
+ memset (&src_p, 0, sizeof (struct prefix));
src_p.family = AF_INET6;
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX))
{
src_p.prefixlen = stream_getc (s);
- stream_get (&src_p.prefix, s, PSIZE (src_p.prefixlen));
+ stream_get (&src_p.u.prefix6, s, PSIZE (src_p.prefixlen));
}
if (src_p.prefixlen)
@@ -294,10 +294,10 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
}
if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD)
- ospf6_asbr_redistribute_add (api.type, ifindex, (struct prefix *) &p,
+ ospf6_asbr_redistribute_add (api.type, ifindex, &p,
api.nexthop_num, nexthop, api.tag);
else
- ospf6_asbr_redistribute_remove (api.type, ifindex, (struct prefix *) &p);
+ ospf6_asbr_redistribute_remove (api.type, ifindex, &p);
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))
free (nexthop);