lib: Check prefix length from zebra is sensible

* zclient.c: prefix length on router-id and interface address add messages not sanity checked. fix. * */*_zebra.c: Prefix length on zebra route read was not checked, and clients use it to write to storage. An evil zebra could overflow client structures by sending overly long prefixlen. Prompted by discussions with: Donald Sharp <sharpd@cumulusnetworks.com>
author: Paul Jakma <paul.jakma@hpe.com> 2016-02-09 15:23:03 +0000
committer: Paul Jakma <paul.jakma@hpe.com> 2016-03-08 17:53:22 +0000
commit: bf83fa25f1bddec6f09ad879cba5e975a3ae5495 (patch)
tree: a01a0137a4193d2d33d61bb43c113afef3e421a6 /ospfd/ospf_zebra.c
parent: 2db962760426ddb9e266f9a4bc0b274584c819cc (diff)
download: quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.bz2
quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/ospfd/ospf_zebra.c b/ospfd/ospf_zebra.c
index cf2ea81f..4531f13d 100644
--- a/ospfd/ospf_zebra.c
+++ b/ospfd/ospf_zebra.c
@@ -845,7 +845,7 @@ ospf_zebra_read_ipv4 (int command, struct zclient *zclient,
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   if (IPV4_NET127(ntohl(p.prefix.s_addr)))
author	Paul Jakma <paul.jakma@hpe.com>	2016-02-09 15:23:03 +0000
committer	Paul Jakma <paul.jakma@hpe.com>	2016-03-08 17:53:22 +0000
commit	bf83fa25f1bddec6f09ad879cba5e975a3ae5495 (patch)
tree	a01a0137a4193d2d33d61bb43c113afef3e421a6 /ospfd/ospf_zebra.c
parent	2db962760426ddb9e266f9a4bc0b274584c819cc (diff)
download	quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.bz2 quagga-bf83fa25f1bddec6f09ad879cba5e975a3ae5495.tar.xz