diff options
| author | Paul Jakma <paul.jakma@hpe.com> | 2016-02-08 14:46:28 +0000 |
|---|---|---|
| committer | Paul Jakma <paul.jakma@hpe.com> | 2016-03-08 17:53:22 +0000 |
| commit | 2db962760426ddb9e266f9a4bc0b274584c819cc (patch) | |
| tree | 406ea2dc4196e9904ab9832a7dae548f4cdcf91d | |
| parent | 405e9e19eb6ce62fa4f3f39a1f73990db9e146b7 (diff) | |
| download | quagga-2db962760426ddb9e266f9a4bc0b274584c819cc.tar.bz2 quagga-2db962760426ddb9e266f9a4bc0b274584c819cc.tar.xz | |
lib: zclient can overflow (struct interface) hw_addr if zebra is evil
* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
is used as trusted input to read off the hw_addr and write to the
INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is
bounds-checked by the stream abstraction, however the write out to the
heap can not be.
Tighten the supplied length to stream_get used to do the write.
Impact: a malicious zebra can overflow the heap of clients using the ZServ
IPC. Note that zebra is already fairly trusted within Quagga.
Reported-by: Kostya Kortchinsky <kostyak@google.com>
| -rw-r--r-- | lib/zclient.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/zclient.c b/lib/zclient.c index 9188c018..610008b4 100644 --- a/lib/zclient.c +++ b/lib/zclient.c @@ -794,7 +794,7 @@ zebra_interface_if_set_value (struct stream *s, struct interface *ifp) ifp->ll_type = stream_getl (s); ifp->hw_addr_len = stream_getl (s); if (ifp->hw_addr_len) - stream_get (ifp->hw_addr, s, ifp->hw_addr_len); + stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX)); } static int |