From: Stephen Worley <sworley@cumulusnetworks.com>
Date: Wed, 23 Oct 2019 17:08:10 +0000 (-0400)
Subject: zebra: Guard nexthop group overflow read
X-Git-Tag: base_7.3~219^2~7
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=5a935f79d5c6990b899862de6e3022036e4a7ffa;p=mirror%2Ffrr.git

zebra: Guard nexthop group overflow read

Guard against an overflow read when processing
nexthop groups from netlink. Add a check to ensure
we don't try to write passed the array size.

Signed-off-by: Stephen Worley <sworley@cumulusnetworks.com>
---

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index 4fe4d82386..b5ddc954c3 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -2313,7 +2313,7 @@ static struct nexthop netlink_nexthop_process_nh(struct rtattr **tb,
 }
 
 static int netlink_nexthop_process_group(struct rtattr **tb,
-					 struct nh_grp *z_grp)
+					 struct nh_grp *z_grp, int z_grp_size)
 {
 	uint8_t count = 0;
 	/* linux/nexthop.h group struct */
@@ -2335,7 +2335,7 @@ static int netlink_nexthop_process_group(struct rtattr **tb,
 
 #endif
 
-	for (int i = 0; i < count; i++) {
+	for (int i = 0; ((i < count) && (i < z_grp_size)); i++) {
 		z_grp[i].id = n_grp[i].id;
 		z_grp[i].weight = n_grp[i].weight;
 	}
@@ -2412,7 +2412,8 @@ int netlink_nexthop_change(struct nlmsghdr *h, ns_id_t ns_id, int startup)
 			 * If this is a group message its only going to have
 			 * an array of nexthop IDs associated with it
 			 */
-			grp_count = netlink_nexthop_process_group(tb, grp);
+			grp_count = netlink_nexthop_process_group(
+				tb, grp, array_size(grp));
 		} else {
 			if (tb[NHA_BLACKHOLE]) {
 				/**