proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-05 02:46:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

lib: zclient can overflow (struct interface) hw_addr if zebra is evil

Browse Source 
* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
  is used as trusted input to read off the hw_addr and write to the
  INTERFACE_HWADDR_MAX sized hw_addr field.  The read from the stream is
  bounds-checked by the stream abstraction, however the write out to the
  heap can not be.

  Tighten the supplied length to stream_get used to do the write.

  Impact: a malicious zebra can overflow the heap of clients using the ZServ
  IPC.  Note that zebra is already fairly trusted within Quagga.

Reported-by: Kostya Kortchinsky <kostyak@google.com>
This commit is contained in:
Paul Jakma 2016-02-08 14:46:28 +00:00 committed by Donald Sharp
parent 50905aa278
commit cbe0a6a1e9
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/zclient.c
View File

@ -1048,7 +1048,7 @@ zebra_interface_if_set_value (struct stream *s, struct interface *ifp)
#else #else
ifp->hw_addr_len = stream_getl (s); ifp->hw_addr_len = stream_getl (s);
if (ifp->hw_addr_len) if (ifp->hw_addr_len)
stream_get (ifp->hw_addr, s, ifp->hw_addr_len); stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX));
#endif /* HAVE_STRUCT_SOCKADDR_DL */ #endif /* HAVE_STRUCT_SOCKADDR_DL */
} }