proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-04-28 21:20:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ospfclient: Ensure ospf_apiclient_lsa_originate cannot accidently write into stack

Browse Source 
Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound
on what can be written into a lsa, let's add a small check to ensure
it is not possible to do a bad thing.

This wins one of the long standing bug awards.  2003!

Fixes: #11602
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
This commit is contained in:
Donald Sharp 2022-07-20 16:43:17 -04:00
parent b8443f7ad3
commit d2aeac3870
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ospfclient/ospf_apiclient.c
View File

@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
return OSPF_API_ILLEGALLSATYPE;
}
if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
opaquelen, sizeof(buf));
return OSPF_API_NOMEMORY;
}
/* Make a new LSA from parameters */
lsah = (struct lsa_header *)buf;
lsah->ls_age = 0;