ospfclient: Ensure ospf_apiclient_lsa_originate cannot accidently write into stack

Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
author: Donald Sharp <sharpd@nvidia.com> 2022-07-20 22:43:17 +0200
committer: Donald Sharp <sharpd@nvidia.com> 2022-07-22 19:17:58 +0200
commit: d2aeac38708d93fb028d6a53e6eea317f0c06d1b (patch)
tree: dabaec3c151239d6da7ce7f32b79d439278f6de4 /ospfclient
parent: Merge pull request #11565 from pguibert6WIND/bfd_vrf_lite_support (diff)
download: frr-d2aeac38708d93fb028d6a53e6eea317f0c06d1b.tar.xz
frr-d2aeac38708d93fb028d6a53e6eea317f0c06d1b.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c
index e84c6f5b3..41f0b25b9 100644
--- a/ospfclient/ospf_apiclient.c
+++ b/ospfclient/ospf_apiclient.c
@@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
 		return OSPF_API_ILLEGALLSATYPE;
 	}
 
+	if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
+		fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
+			opaquelen, sizeof(buf));
+		return OSPF_API_NOMEMORY;
+	}
+
 	/* Make a new LSA from parameters */
 	lsah = (struct lsa_header *)buf;
 	lsah->ls_age = 0;
author	Donald Sharp <sharpd@nvidia.com>	2022-07-20 22:43:17 +0200
committer	Donald Sharp <sharpd@nvidia.com>	2022-07-22 19:17:58 +0200
commit	d2aeac38708d93fb028d6a53e6eea317f0c06d1b (patch)
tree	dabaec3c151239d6da7ce7f32b79d439278f6de4 /ospfclient
parent	Merge pull request #11565 from pguibert6WIND/bfd_vrf_lite_support (diff)
download	frr-d2aeac38708d93fb028d6a53e6eea317f0c06d1b.tar.xz frr-d2aeac38708d93fb028d6a53e6eea317f0c06d1b.zip