proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-07 17:18:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ospf6d: Fix write beyond data structure

Browse Source 
Converting a 'struct prefix6' to a 'struct prefix'
and then doing a memcpy of the contents writes
beyond the end of the data structure.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
Donald Sharp 2017-03-01 07:45:21 -05:00
parent 608a261b2c
commit b95e5c8c69
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ospf6d/ospf6_zebra.c
View File

@ -217,7 +217,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
struct stream *s; struct stream *s;
struct zapi_ipv6 api; struct zapi_ipv6 api;
unsigned long ifindex; unsigned long ifindex;
struct prefix_ipv6 p, src_p; struct prefix p, src_p;
struct in6_addr *nexthop; struct in6_addr *nexthop;
if (ospf6 == NULL) if (ospf6 == NULL)
@ -235,17 +235,17 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
api.message = stream_getc (s); api.message = stream_getc (s);
/* IPv6 prefix. */ /* IPv6 prefix. */
memset (&p, 0, sizeof (struct prefix_ipv6)); memset (&p, 0, sizeof (struct prefix));
p.family = AF_INET6; p.family = AF_INET6;
p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s)); p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
stream_get (&p.prefix, s, PSIZE (p.prefixlen)); stream_get (&p.u.prefix6, s, PSIZE (p.prefixlen));
memset (&src_p, 0, sizeof (struct prefix_ipv6)); memset (&src_p, 0, sizeof (struct prefix));
src_p.family = AF_INET6; src_p.family = AF_INET6;
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX)) if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX))
{ {
src_p.prefixlen = stream_getc (s); src_p.prefixlen = stream_getc (s);
stream_get (&src_p.prefix, s, PSIZE (src_p.prefixlen)); stream_get (&src_p.u.prefix6, s, PSIZE (src_p.prefixlen));
} }
if (src_p.prefixlen) if (src_p.prefixlen)
@ -294,10 +294,10 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
} }
if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD) if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD)
ospf6_asbr_redistribute_add (api.type, ifindex, (struct prefix *) &p, ospf6_asbr_redistribute_add (api.type, ifindex, &p,
api.nexthop_num, nexthop, api.tag); api.nexthop_num, nexthop, api.tag);
else else
ospf6_asbr_redistribute_remove (api.type, ifindex, (struct prefix *) &p); ospf6_asbr_redistribute_remove (api.type, ifindex, &p);
if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP)) if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))
free (nexthop); free (nexthop);