proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-04 20:18:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

zebra: fix buffer overflow

Browse Source 
mac is only 6 bytes long and we shouldn't blindly copy unknown number of
bytes into it.

Fixes #9671.

Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
This commit is contained in:
Igor Ryzhov 2021-09-28 15:44:51 +03:00
parent 01236d7aa7
commit b7c21fad11
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
zebra/rt_netlink.c
View File

@ -3744,7 +3744,6 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
if (tb[NDA_LLADDR]) { if (tb[NDA_LLADDR]) {
/* copy LLADDR information */ /* copy LLADDR information */
l2_len = RTA_PAYLOAD(tb[NDA_LLADDR]); l2_len = RTA_PAYLOAD(tb[NDA_LLADDR]);
memcpy(&mac, RTA_DATA(tb[NDA_LLADDR]), l2_len);
} }
if (l2_len == IPV4_MAX_BYTELEN || l2_len == 0) { if (l2_len == IPV4_MAX_BYTELEN || l2_len == 0) {
union sockunion link_layer_ipv4; union sockunion link_layer_ipv4;
@ -3752,7 +3751,7 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
if (l2_len) { if (l2_len) {
sockunion_family(&link_layer_ipv4) = AF_INET; sockunion_family(&link_layer_ipv4) = AF_INET;
memcpy((void *)sockunion_get_addr(&link_layer_ipv4), memcpy((void *)sockunion_get_addr(&link_layer_ipv4),
&mac, l2_len); RTA_DATA(tb[NDA_LLADDR]), l2_len);
} else } else
sockunion_family(&link_layer_ipv4) = AF_UNSPEC; sockunion_family(&link_layer_ipv4) = AF_UNSPEC;
zsend_nhrp_neighbor_notify( zsend_nhrp_neighbor_notify(