diff options
author | Paul Jakma <paul.jakma@hpe.com> | 2016-02-09 16:23:03 +0100 |
---|---|---|
committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2016-09-23 18:12:17 +0200 |
commit | d91788284ed910bcf945c01ceb18334423cc352d (patch) | |
tree | 9f79d7d56a5e5d7abb7455d01c4c8b832e1dc243 /ripngd | |
parent | lib: force local MIN/MAX macros (diff) | |
download | frr-d91788284ed910bcf945c01ceb18334423cc352d.tar.xz frr-d91788284ed910bcf945c01ceb18334423cc352d.zip |
lib: Check prefix length from zebra is sensible
* zclient.c: prefix length on router-id and interface address add
messages not sanity checked. fix.
* */*_zebra.c: Prefix length on zebra route read was not checked, and
clients use it to write to storage. An evil zebra could overflow
client structures by sending overly long prefixlen.
Prompted by discussions with:
Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'ripngd')
-rw-r--r-- | ripngd/ripng_zebra.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ripngd/ripng_zebra.c b/ripngd/ripng_zebra.c index 1184cd0db..e1ede095e 100644 --- a/ripngd/ripng_zebra.c +++ b/ripngd/ripng_zebra.c @@ -149,7 +149,7 @@ ripng_zebra_read_ipv6 (int command, struct zclient *zclient, /* IPv6 prefix. */ memset (&p, 0, sizeof (struct prefix_ipv6)); p.family = AF_INET6; - p.prefixlen = stream_getc (s); + p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s)); stream_get (&p.prefix, s, PSIZE (p.prefixlen)); /* Nexthop, ifindex, distance, metric. */ |