diff options
| author | Paul Jakma <paul.jakma@hpe.com> | 2016-02-09 15:23:03 +0000 |
|---|---|---|
| committer | Paul Jakma <paul.jakma@hpe.com> | 2016-03-08 17:53:22 +0000 |
| commit | bf83fa25f1bddec6f09ad879cba5e975a3ae5495 (patch) | |
| tree | a01a0137a4193d2d33d61bb43c113afef3e421a6 /isisd/isis_zebra.c | |
| parent | 2db962760426ddb9e266f9a4bc0b274584c819cc (diff) | |
| download | quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.bz2 quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.xz | |
lib: Check prefix length from zebra is sensible
* zclient.c: prefix length on router-id and interface address add
messages not sanity checked. fix.
* */*_zebra.c: Prefix length on zebra route read was not checked, and
clients use it to write to storage. An evil zebra could overflow
client structures by sending overly long prefixlen.
Prompted by discussions with:
Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'isisd/isis_zebra.c')
| -rw-r--r-- | isisd/isis_zebra.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c index 6c398cf5..a1a5bea7 100644 --- a/isisd/isis_zebra.c +++ b/isisd/isis_zebra.c @@ -541,7 +541,7 @@ isis_zebra_read_ipv4 (int command, struct zclient *zclient, api.message = stream_getc (stream); p.family = AF_INET; - p.prefixlen = stream_getc (stream); + p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (stream)); stream_get (&p.prefix, stream, PSIZE (p.prefixlen)); if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP)) |