From e4081c0e0b0ff763f446d92095017e8cb4df67aa Mon Sep 17 00:00:00 2001
From: Renato Westphal <renato@opensourcerouting.org>
Date: Wed, 2 Jan 2019 18:26:11 -0200
Subject: [PATCH] lib: add a few more sanity checks when encoding/decoding
 routes

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
---
 lib/zclient.c    | 22 +++++++++++++++++++++-
 zebra/zapi_msg.c |  1 +
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/lib/zclient.c b/lib/zclient.c
index 1c40750db0..a6210e3963 100644
--- a/lib/zclient.c
+++ b/lib/zclient.c
@@ -749,10 +749,24 @@ int zapi_route_encode(uint8_t cmd, struct stream *s, struct zapi_route *api)
 	stream_reset(s);
 	zclient_create_header(s, cmd, api->vrf_id);
 
+	if (api->type >= ZEBRA_ROUTE_MAX) {
+		flog_err(EC_LIB_ZAPI_ENCODE,
+			 "%s: Specified route type (%u) is not a legal value\n",
+			 __PRETTY_FUNCTION__, api->type);
+		return -1;
+	}
 	stream_putc(s, api->type);
+
 	stream_putw(s, api->instance);
 	stream_putl(s, api->flags);
 	stream_putc(s, api->message);
+
+	if (api->safi < SAFI_UNICAST || api->safi >= SAFI_MAX) {
+		flog_err(EC_LIB_ZAPI_ENCODE,
+			 "%s: Specified route SAFI (%u) is not a legal value\n",
+			 __PRETTY_FUNCTION__, api->safi);
+		return -1;
+	}
 	stream_putc(s, api->safi);
 
 	/* Put prefix information. */
@@ -868,7 +882,7 @@ int zapi_route_decode(struct stream *s, struct zapi_route *api)
 
 	/* Type, flags, message. */
 	STREAM_GETC(s, api->type);
-	if (api->type > ZEBRA_ROUTE_MAX) {
+	if (api->type >= ZEBRA_ROUTE_MAX) {
 		flog_err(EC_LIB_ZAPI_ENCODE,
 			 "%s: Specified route type: %d is not a legal value\n",
 			 __PRETTY_FUNCTION__, api->type);
@@ -879,6 +893,12 @@ int zapi_route_decode(struct stream *s, struct zapi_route *api)
 	STREAM_GETL(s, api->flags);
 	STREAM_GETC(s, api->message);
 	STREAM_GETC(s, api->safi);
+	if (api->safi < SAFI_UNICAST || api->safi >= SAFI_MAX) {
+		flog_err(EC_LIB_ZAPI_ENCODE,
+			 "%s: Specified route SAFI (%u) is not a legal value\n",
+			 __PRETTY_FUNCTION__, api->safi);
+		return -1;
+	}
 
 	/* Prefix. */
 	STREAM_GETC(s, api->prefix.family);
diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
index faa0eb90e4..8fe7031abe 100644
--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@@ -530,6 +530,7 @@ int zsend_redistribute_route(int cmd, struct zserv *client,
 	memset(&api, 0, sizeof(api));
 	api.vrf_id = re->vrf_id;
 	api.type = re->type;
+	api.safi = SAFI_UNICAST;
 	api.instance = re->instance;
 	api.flags = re->flags;