diff options
author | Renato Westphal <renato@opensourcerouting.org> | 2017-09-21 14:49:31 +0200 |
---|---|---|
committer | Renato Westphal <renato@opensourcerouting.org> | 2017-09-21 16:21:09 +0200 |
commit | a74e593b3545374a9021f8264152dba42e08323a (patch) | |
tree | f4e3c701b0bbf97aa03d4cfc3bee2baddb639bad /ripngd/ripng_zebra.c | |
parent | Merge pull request #1212 from mkanjari/init-fix (diff) | |
download | frr-a74e593b3545374a9021f8264152dba42e08323a.tar.xz frr-a74e593b3545374a9021f8264152dba42e08323a.zip |
*: fix segfault when sending more than MULTIPATH_NUM nexthops
This is a fallout from PR #1022 (zapi consolidation). In the early days,
the client daemons would allocate enough memory to send all nexthops
to zebra. Then zebra would add all nexthops to the RIB and respect
MULTIPATH_NUM only when installing the routes in the kernel. Now things
are different and the client daemons can send at most MULTIPATH_NUM
nexthops to zebra, and failure to respect that will result in a buffer
overflow. The MULTIPATH_NUM limit in the new zebra API is a small price
we pay to avoid allocating memory for each route sent to zebra.
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Diffstat (limited to 'ripngd/ripng_zebra.c')
-rw-r--r-- | ripngd/ripng_zebra.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ripngd/ripng_zebra.c b/ripngd/ripng_zebra.c index 283d8691a..7edaaa5df 100644 --- a/ripngd/ripng_zebra.c +++ b/ripngd/ripng_zebra.c @@ -54,6 +54,8 @@ static void ripng_zebra_ipv6_send(struct route_node *rp, u_char cmd) SET_FLAG(api.message, ZAPI_MESSAGE_NEXTHOP); for (ALL_LIST_ELEMENTS_RO(list, listnode, rinfo)) { + if (count >= MULTIPATH_NUM) + break; api_nh = &api.nexthops[count]; api_nh->gate.ipv6 = rinfo->nexthop; api_nh->ifindex = rinfo->ifindex; |