ospf6d: Fix write beyond data structure

Converting a 'struct prefix6' to a 'struct prefix'
and then doing a memcpy of the contents writes
beyond the end of the data structure.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
Donald Sharp 2017-03-01 07:45:21 -05:00
parent 608a261b2c
commit b95e5c8c69

View File

@ -217,7 +217,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
struct stream *s;
struct zapi_ipv6 api;
unsigned long ifindex;
struct prefix_ipv6 p, src_p;
struct prefix p, src_p;
struct in6_addr *nexthop;
if (ospf6 == NULL)
@ -235,17 +235,17 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
api.message = stream_getc (s);
/* IPv6 prefix. */
memset (&p, 0, sizeof (struct prefix_ipv6));
memset (&p, 0, sizeof (struct prefix));
p.family = AF_INET6;
p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
stream_get (&p.prefix, s, PSIZE (p.prefixlen));
stream_get (&p.u.prefix6, s, PSIZE (p.prefixlen));
memset (&src_p, 0, sizeof (struct prefix_ipv6));
memset (&src_p, 0, sizeof (struct prefix));
src_p.family = AF_INET6;
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX))
{
src_p.prefixlen = stream_getc (s);
stream_get (&src_p.prefix, s, PSIZE (src_p.prefixlen));
stream_get (&src_p.u.prefix6, s, PSIZE (src_p.prefixlen));
}
if (src_p.prefixlen)
@ -294,10 +294,10 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
}
if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD)
ospf6_asbr_redistribute_add (api.type, ifindex, (struct prefix *) &p,
ospf6_asbr_redistribute_add (api.type, ifindex, &p,
api.nexthop_num, nexthop, api.tag);
else
ospf6_asbr_redistribute_remove (api.type, ifindex, (struct prefix *) &p);
ospf6_asbr_redistribute_remove (api.type, ifindex, &p);
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))
free (nexthop);