babeld/eigrpd/ldpd/nhrpd: add prefix length sanity checks

Pulled from d917882.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>

diff --git a/babeld/babel_zebra.c b/babeld/babel_zebra.c
index a1d3a9e8ccfb60d83c75074ed3d27dbb8beb9f4c..2b998940d74f03c1eaefc1f63e4d6185f08183a9 100644 (file)
--- a/babeld/babel_zebra.c
+++ b/babeld/babel_zebra.c
@@ -79,7 +79,7 @@ babel_zebra_read_ipv6 (int command, struct zclient *zclient,
 
     /* IPv6 prefix. */
     prefix.family = AF_INET6;
-    prefix.prefixlen = stream_getc (s);
+    prefix.prefixlen = MIN (IPV6_MAX_PREFIXLEN, stream_getc (s));
     stream_get (&prefix.prefix, s, PSIZE (prefix.prefixlen));
 
     memset(&src_p, 0, sizeof(src_p));
@@ -140,9 +140,9 @@ babel_zebra_read_ipv4 (int command, struct zclient *zclient,
     api.flags = stream_getl (s);
     api.message = stream_getc (s);
 
-    /* IPv6 prefix. */
+    /* IPv4 prefix. */
     prefix.family = AF_INET;
-    prefix.prefixlen = stream_getc (s);
+    prefix.prefixlen = MIN (IPV4_MAX_PREFIXLEN, stream_getc (s));
     stream_get (&prefix.prefix, s, PSIZE (prefix.prefixlen));
 
     /* Nexthop, ifindex, distance, metric. */

diff --git a/eigrpd/eigrp_zebra.c b/eigrpd/eigrp_zebra.c
index 0ee89eb675a86d87c0f4967c9a56d5cfb17d7380..6fc3f2935300c018baacd8ac7f8a148c247ae39c 100644 (file)
--- a/eigrpd/eigrp_zebra.c
+++ b/eigrpd/eigrp_zebra.c
@@ -137,7 +137,7 @@ static int eigrp_zebra_read_ipv4(int command, struct zclient *zclient,
        /* IPv4 prefix. */
        memset(&p, 0, sizeof(struct prefix_ipv4));
        p.family = AF_INET;
-       p.prefixlen = stream_getc(s);
+       p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
        stream_get(&p.prefix, s, PSIZE(p.prefixlen));
 
        if (IPV4_NET127(ntohl(p.prefix.s_addr)))

diff --git a/ldpd/ldp_zebra.c b/ldpd/ldp_zebra.c
index ecc7db8f2ebb30ec6dffb87bd2f92e380f89e276..54c5af62a4e1d52d44f0d6043de758e684292402 100644 (file)
--- a/ldpd/ldp_zebra.c
+++ b/ldpd/ldp_zebra.c
@@ -427,17 +427,18 @@ ldp_zebra_read_route(int command, struct zclient *zclient, zebra_size_t length,
        case ZEBRA_REDISTRIBUTE_IPV4_ADD:
        case ZEBRA_REDISTRIBUTE_IPV4_DEL:
                kr.af = AF_INET;
+               kr.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
                nhlen = sizeof(struct in_addr);
                break;
        case ZEBRA_REDISTRIBUTE_IPV6_ADD:
        case ZEBRA_REDISTRIBUTE_IPV6_DEL:
                kr.af = AF_INET6;
+               kr.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc(s));
                nhlen = sizeof(struct in6_addr);
                break;
        default:
                fatalx("ldp_zebra_read_route: unknown command");
        }
-       kr.prefixlen = stream_getc(s);
        stream_get(&kr.prefix, s, PSIZE(kr.prefixlen));
 
        if (bad_addr(kr.af, &kr.prefix) ||

diff --git a/nhrpd/nhrp_route.c b/nhrpd/nhrp_route.c
index e9651adc544088d6269034f9c7b56b30af23303d..5116ad068cb441be6c8bb693e31f03bb43b96d23 100644 (file)
--- a/nhrpd/nhrp_route.c
+++ b/nhrpd/nhrp_route.c
@@ -215,16 +215,17 @@ int nhrp_route_read(int cmd, struct zclient *zclient, zebra_size_t length, vrf_i
        case ZEBRA_REDISTRIBUTE_IPV4_ADD:
        case ZEBRA_REDISTRIBUTE_IPV4_DEL:
                prefix.family = AF_INET;
+               prefix.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
                break;
        case ZEBRA_REDISTRIBUTE_IPV6_ADD:
        case ZEBRA_REDISTRIBUTE_IPV6_DEL:
                prefix.family = AF_INET6;
+               prefix.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc(s));
                break;
        default:
                return -1;
        }
        afaddrlen = family2addrsize(prefix.family);
-       prefix.prefixlen = stream_getc(s);
        stream_get(&prefix.u.val, s, PSIZE(prefix.prefixlen));
 
        memset(&src_p, 0, sizeof(src_p));