summaryrefslogtreecommitdiffstats
path: root/ripngd
diff options
context:
space:
mode:
authorPaul Jakma <paul.jakma@hpe.com>2016-02-09 16:23:03 +0100
committerDonald Sharp <sharpd@cumulusnetworks.com>2016-09-23 18:12:17 +0200
commitd91788284ed910bcf945c01ceb18334423cc352d (patch)
tree9f79d7d56a5e5d7abb7455d01c4c8b832e1dc243 /ripngd
parentlib: force local MIN/MAX macros (diff)
downloadfrr-d91788284ed910bcf945c01ceb18334423cc352d.tar.xz
frr-d91788284ed910bcf945c01ceb18334423cc352d.zip
lib: Check prefix length from zebra is sensible
* zclient.c: prefix length on router-id and interface address add messages not sanity checked. fix. * */*_zebra.c: Prefix length on zebra route read was not checked, and clients use it to write to storage. An evil zebra could overflow client structures by sending overly long prefixlen. Prompted by discussions with: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'ripngd')
-rw-r--r--ripngd/ripng_zebra.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/ripngd/ripng_zebra.c b/ripngd/ripng_zebra.c
index 1184cd0db..e1ede095e 100644
--- a/ripngd/ripng_zebra.c
+++ b/ripngd/ripng_zebra.c
@@ -149,7 +149,7 @@ ripng_zebra_read_ipv6 (int command, struct zclient *zclient,
/* IPv6 prefix. */
memset (&p, 0, sizeof (struct prefix_ipv6));
p.family = AF_INET6;
- p.prefixlen = stream_getc (s);
+ p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
stream_get (&p.prefix, s, PSIZE (p.prefixlen));
/* Nexthop, ifindex, distance, metric. */