ospfclient: Ensure ospf_apiclient_lsa_originate cannot accidently write into stack

Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound
on what can be written into a lsa, let's add a small check to ensure
it is not possible to do a bad thing.

This wins one of the long standing bug awards.  2003!

Fixes: #11602
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit d2aeac38708d93fb028d6a53e6eea317f0c06d1b)

diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c
index b5e6389d4c9b0cee3690537ed72bafe56753a36e..b5f5d77d8238a220cc0b3f56ca2d976feabe5e1d 100644 (file)
--- a/ospfclient/ospf_apiclient.c
+++ b/ospfclient/ospf_apiclient.c
@@ -453,6 +453,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
                return OSPF_API_ILLEGALLSATYPE;
        }
 
+       if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
+               fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
+                       opaquelen, sizeof(buf));
+               return OSPF_API_NOMEMORY;
+       }
+
        /* Make a new LSA from parameters */
        lsah = (struct lsa_header *)buf;
        lsah->ls_age = 0;