From: Igor Ryzhov <iryzhov@nfware.com>
Date: Tue, 28 Sep 2021 12:44:51 +0000 (+0300)
Subject: zebra: fix buffer overflow
X-Git-Tag: base_8.2~346^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=b7c21fad11d19458ab62202e10401a954cba5e1c;p=matthieu%2Ffrr.git

zebra: fix buffer overflow

mac is only 6 bytes long and we shouldn't blindly copy unknown number of
bytes into it.

Fixes #9671.

Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
---

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index e36f320ad9..ec2c09e680 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -3744,7 +3744,6 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
 	if (tb[NDA_LLADDR]) {
 		/* copy LLADDR information */
 		l2_len = RTA_PAYLOAD(tb[NDA_LLADDR]);
-		memcpy(&mac, RTA_DATA(tb[NDA_LLADDR]), l2_len);
 	}
 	if (l2_len == IPV4_MAX_BYTELEN || l2_len == 0) {
 		union sockunion link_layer_ipv4;
@@ -3752,7 +3751,7 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
 		if (l2_len) {
 			sockunion_family(&link_layer_ipv4) = AF_INET;
 			memcpy((void *)sockunion_get_addr(&link_layer_ipv4),
-			       &mac, l2_len);
+			       RTA_DATA(tb[NDA_LLADDR]), l2_len);
 		} else
 			sockunion_family(&link_layer_ipv4) = AF_UNSPEC;
 		zsend_nhrp_neighbor_notify(