From bf83fa25f1bddec6f09ad879cba5e975a3ae5495 Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul.jakma@hpe.com>
Date: Tue, 9 Feb 2016 15:23:03 +0000
Subject: lib: Check prefix length from zebra is sensible

* zclient.c: prefix length on router-id and interface address add
  messages not sanity checked.  fix.

* */*_zebra.c: Prefix length on zebra route read was not checked, and
  clients use it to write to storage.  An evil zebra could overflow
  client structures by sending overly long prefixlen.

Prompted by discussions with:

Donald Sharp <sharpd@cumulusnetworks.com>
---
 ospf6d/ospf6_zebra.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ospf6d/ospf6_zebra.c')

diff --git a/ospf6d/ospf6_zebra.c b/ospf6d/ospf6_zebra.c
index 30b6fc6f..0caf0014 100644
--- a/ospf6d/ospf6_zebra.c
+++ b/ospf6d/ospf6_zebra.c
@@ -227,7 +227,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
-- 
cgit v1.2.3