From: Donatas Abraitis Date: Sun, 17 Jul 2022 19:31:48 +0000 (+0300) Subject: zebra: Avoid buffer overflow using netlink_parse_rtattr_nested() X-Git-Tag: docker/8.3.0~2^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=e55f89c770ea74840e2b4617779dafed6065fc1c;p=matthieu%2Ffrr.git zebra: Avoid buffer overflow using netlink_parse_rtattr_nested() memset(tb, 0, sizeof(struct rtattr *) * (max + 1)); in netlink_parse_rtattr() seems a good candidate to buffer overflow. Signed-off-by: Donatas Abraitis (cherry picked from commit ce39ca16dd9ab7233e13171e08c35b2e1c196493) --- diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c index 93b2d94671..1fa8ce3f64 100644 --- a/zebra/rt_netlink.c +++ b/zebra/rt_netlink.c @@ -420,10 +420,10 @@ static enum seg6local_action_t parse_encap_seg6local(struct rtattr *tb, struct seg6local_context *ctx) { - struct rtattr *tb_encap[256] = {}; + struct rtattr *tb_encap[SEG6_LOCAL_MAX + 1] = {}; enum seg6local_action_t act = ZEBRA_SEG6_LOCAL_ACTION_UNSPEC; - netlink_parse_rtattr_nested(tb_encap, 256, tb); + netlink_parse_rtattr_nested(tb_encap, SEG6_LOCAL_MAX, tb); if (tb_encap[SEG6_LOCAL_ACTION]) act = *(uint32_t *)RTA_DATA(tb_encap[SEG6_LOCAL_ACTION]); @@ -448,11 +448,11 @@ parse_encap_seg6local(struct rtattr *tb, static int parse_encap_seg6(struct rtattr *tb, struct in6_addr *segs) { - struct rtattr *tb_encap[256] = {}; + struct rtattr *tb_encap[SEG6_IPTUNNEL_MAX + 1] = {}; struct seg6_iptunnel_encap *ipt = NULL; struct in6_addr *segments = NULL; - netlink_parse_rtattr_nested(tb_encap, 256, tb); + netlink_parse_rtattr_nested(tb_encap, SEG6_IPTUNNEL_MAX, tb); /* * TODO: It's not support multiple SID list.