diff options
author | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-03-01 13:45:21 +0100 |
---|---|---|
committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2017-03-01 14:40:46 +0100 |
commit | b95e5c8c696244bcba9e61e8f3a7edfe597808f5 (patch) | |
tree | 3918a7a3690f1f9f8853b7356623e96dcb28ca1a /ospf6d/ospf6_zebra.c | |
parent | pimd: Fix use of value after free (diff) | |
download | frr-b95e5c8c696244bcba9e61e8f3a7edfe597808f5.tar.xz frr-b95e5c8c696244bcba9e61e8f3a7edfe597808f5.zip |
ospf6d: Fix write beyond data structure
Converting a 'struct prefix6' to a 'struct prefix'
and then doing a memcpy of the contents writes
beyond the end of the data structure.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to '')
-rw-r--r-- | ospf6d/ospf6_zebra.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/ospf6d/ospf6_zebra.c b/ospf6d/ospf6_zebra.c index 76bee9cf5..1904623e7 100644 --- a/ospf6d/ospf6_zebra.c +++ b/ospf6d/ospf6_zebra.c @@ -217,7 +217,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient, struct stream *s; struct zapi_ipv6 api; unsigned long ifindex; - struct prefix_ipv6 p, src_p; + struct prefix p, src_p; struct in6_addr *nexthop; if (ospf6 == NULL) @@ -235,17 +235,17 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient, api.message = stream_getc (s); /* IPv6 prefix. */ - memset (&p, 0, sizeof (struct prefix_ipv6)); + memset (&p, 0, sizeof (struct prefix)); p.family = AF_INET6; p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s)); - stream_get (&p.prefix, s, PSIZE (p.prefixlen)); + stream_get (&p.u.prefix6, s, PSIZE (p.prefixlen)); - memset (&src_p, 0, sizeof (struct prefix_ipv6)); + memset (&src_p, 0, sizeof (struct prefix)); src_p.family = AF_INET6; if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX)) { src_p.prefixlen = stream_getc (s); - stream_get (&src_p.prefix, s, PSIZE (src_p.prefixlen)); + stream_get (&src_p.u.prefix6, s, PSIZE (src_p.prefixlen)); } if (src_p.prefixlen) @@ -294,10 +294,10 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient, } if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD) - ospf6_asbr_redistribute_add (api.type, ifindex, (struct prefix *) &p, + ospf6_asbr_redistribute_add (api.type, ifindex, &p, api.nexthop_num, nexthop, api.tag); else - ospf6_asbr_redistribute_remove (api.type, ifindex, (struct prefix *) &p); + ospf6_asbr_redistribute_remove (api.type, ifindex, &p); if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP)) free (nexthop); |