babeld: Do not copy beyond end of data

The function really_send_update takes a 'const unsigned char *id'.
and is called with myid(a 8 byte array) and route->src->id(an 8
byte array), but we copy these pointers into
babel_ifp->buffered_id which is a 16 byte array.

Adjust the size of buffered_id to be 8 bytes and fix the copy
to only copy the 8 bytes.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/babeld/babel_interface.h b/babeld/babel_interface.h
index 64509afa17d2efe08dcd7bdac2a0645091d8029e..501177e602231540c2b6b7aa274bf925b47a9503 100644 (file)
--- a/babeld/babel_interface.h
+++ b/babeld/babel_interface.h
@@ -50,7 +50,7 @@ struct babel_interface {
     char have_buffered_id;
     char have_buffered_nh;
     char have_buffered_prefix;
-    unsigned char buffered_id[16];
+    unsigned char buffered_id[8];
     unsigned char buffered_nh[4];
     unsigned char buffered_prefix[16];
     unsigned char *sendbuf;

diff --git a/babeld/message.c b/babeld/message.c
index e31d5de5df64326c26dce6c2b293e52d96ab31f7..142770e86e13f2433c0884d12353de0cc4f398fa 100644 (file)
--- a/babeld/message.c
+++ b/babeld/message.c
@@ -1080,7 +1080,7 @@ really_send_update(struct interface *ifp,
             accumulate_bytes(ifp, id, 8);
             end_message(ifp, MESSAGE_ROUTER_ID, 10);
         }
-        memcpy(babel_ifp->buffered_id, id, 16);
+        memcpy(babel_ifp->buffered_id, id, sizeof(babel_ifp->buffered_id));
         babel_ifp->have_buffered_id = 1;
     }