From 2db962760426ddb9e266f9a4bc0b274584c819cc Mon Sep 17 00:00:00 2001 From: Paul Jakma Date: Mon, 8 Feb 2016 14:46:28 +0000 Subject: lib: zclient can overflow (struct interface) hw_addr if zebra is evil * lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field is used as trusted input to read off the hw_addr and write to the INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is bounds-checked by the stream abstraction, however the write out to the heap can not be. Tighten the supplied length to stream_get used to do the write. Impact: a malicious zebra can overflow the heap of clients using the ZServ IPC. Note that zebra is already fairly trusted within Quagga. Reported-by: Kostya Kortchinsky --- lib/zclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/zclient.c') diff --git a/lib/zclient.c b/lib/zclient.c index 9188c018..610008b4 100644 --- a/lib/zclient.c +++ b/lib/zclient.c @@ -794,7 +794,7 @@ zebra_interface_if_set_value (struct stream *s, struct interface *ifp) ifp->ll_type = stream_getl (s); ifp->hw_addr_len = stream_getl (s); if (ifp->hw_addr_len) - stream_get (ifp->hw_addr, s, ifp->hw_addr_len); + stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX)); } static int -- cgit v1.2.3