lib: Check prefix length from zebra is sensible

* zclient.c: prefix length on router-id and interface address add
  messages not sanity checked.  fix.

* */*_zebra.c: Prefix length on zebra route read was not checked, and
  clients use it to write to storage.  An evil zebra could overflow
  client structures by sending overly long prefixlen.

Prompted by discussions with:

Donald Sharp <sharpd@cumulusnetworks.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c
index 4ec15d0d..bee1a947 100644
--- a/bgpd/bgp_zebra.c
+++ b/bgpd/bgp_zebra.c
@@ -250,7 +250,7 @@ zebra_read_ipv4 (int command, struct zclient *zclient, zebra_size_t length,
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
@@ -326,7 +326,7 @@ zebra_read_ipv6 (int command, struct zclient *zclient, zebra_size_t length,
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */