lib: zclient can overflow (struct interface) hw_addr if zebra is evil

* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
  is used as trusted input to read off the hw_addr and write to the
  INTERFACE_HWADDR_MAX sized hw_addr field.  The read from the stream is
  bounds-checked by the stream abstraction, however the write out to the
  heap can not be.

  Tighten the supplied length to stream_get used to do the write.

  Impact: a malicious zebra can overflow the heap of clients using the ZServ
  IPC.  Note that zebra is already fairly trusted within Quagga.

Reported-by: Kostya Kortchinsky <kostyak@google.com>

0 files changed, 0 insertions, 0 deletions