zebra: Avoid buffer overflow using netlink_parse_rtattr_nested()

memset(tb, 0, sizeof(struct rtattr *) * (max + 1)); in netlink_parse_rtattr()
seems a good candidate to buffer overflow.

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit ce39ca16dd9ab7233e13171e08c35b2e1c196493)

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index 93b2d946714bebad61dd09fd9794e40e14e9d5c7..1fa8ce3f642052cebe541e956674635cf03757fe 100644 (file)
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -420,10 +420,10 @@ static enum seg6local_action_t
 parse_encap_seg6local(struct rtattr *tb,
                      struct seg6local_context *ctx)
 {
-       struct rtattr *tb_encap[256] = {};
+       struct rtattr *tb_encap[SEG6_LOCAL_MAX + 1] = {};
        enum seg6local_action_t act = ZEBRA_SEG6_LOCAL_ACTION_UNSPEC;
 
-       netlink_parse_rtattr_nested(tb_encap, 256, tb);
+       netlink_parse_rtattr_nested(tb_encap, SEG6_LOCAL_MAX, tb);
 
        if (tb_encap[SEG6_LOCAL_ACTION])
                act = *(uint32_t *)RTA_DATA(tb_encap[SEG6_LOCAL_ACTION]);
@@ -448,11 +448,11 @@ parse_encap_seg6local(struct rtattr *tb,
 
 static int parse_encap_seg6(struct rtattr *tb, struct in6_addr *segs)
 {
-       struct rtattr *tb_encap[256] = {};
+       struct rtattr *tb_encap[SEG6_IPTUNNEL_MAX + 1] = {};
        struct seg6_iptunnel_encap *ipt = NULL;
        struct in6_addr *segments = NULL;
 
-       netlink_parse_rtattr_nested(tb_encap, 256, tb);
+       netlink_parse_rtattr_nested(tb_encap, SEG6_IPTUNNEL_MAX, tb);
 
        /*
         * TODO: It's not support multiple SID list.