From: Renato Westphal <renato@opensourcerouting.org>
Date: Sat, 19 Aug 2017 17:12:20 +0000 (-0300)
Subject: babeld/eigrpd/ldpd/nhrpd: add prefix length sanity checks
X-Git-Tag: frr-4.0-dev~379^2~19
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=e959008b1ef36acc572d41555f7df2d3e7f9a0cf;p=matthieu%2Ffrr.git

babeld/eigrpd/ldpd/nhrpd: add prefix length sanity checks

Pulled from d917882.

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
---

diff --git a/babeld/babel_zebra.c b/babeld/babel_zebra.c
index a1d3a9e8cc..2b998940d7 100644
--- a/babeld/babel_zebra.c
+++ b/babeld/babel_zebra.c
@@ -79,7 +79,7 @@ babel_zebra_read_ipv6 (int command, struct zclient *zclient,
 
     /* IPv6 prefix. */
     prefix.family = AF_INET6;
-    prefix.prefixlen = stream_getc (s);
+    prefix.prefixlen = MIN (IPV6_MAX_PREFIXLEN, stream_getc (s));
     stream_get (&prefix.prefix, s, PSIZE (prefix.prefixlen));
 
     memset(&src_p, 0, sizeof(src_p));
@@ -140,9 +140,9 @@ babel_zebra_read_ipv4 (int command, struct zclient *zclient,
     api.flags = stream_getl (s);
     api.message = stream_getc (s);
 
-    /* IPv6 prefix. */
+    /* IPv4 prefix. */
     prefix.family = AF_INET;
-    prefix.prefixlen = stream_getc (s);
+    prefix.prefixlen = MIN (IPV4_MAX_PREFIXLEN, stream_getc (s));
     stream_get (&prefix.prefix, s, PSIZE (prefix.prefixlen));
 
     /* Nexthop, ifindex, distance, metric. */
diff --git a/eigrpd/eigrp_zebra.c b/eigrpd/eigrp_zebra.c
index 0ee89eb675..6fc3f29353 100644
--- a/eigrpd/eigrp_zebra.c
+++ b/eigrpd/eigrp_zebra.c
@@ -137,7 +137,7 @@ static int eigrp_zebra_read_ipv4(int command, struct zclient *zclient,
 	/* IPv4 prefix. */
 	memset(&p, 0, sizeof(struct prefix_ipv4));
 	p.family = AF_INET;
-	p.prefixlen = stream_getc(s);
+	p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
 	stream_get(&p.prefix, s, PSIZE(p.prefixlen));
 
 	if (IPV4_NET127(ntohl(p.prefix.s_addr)))
diff --git a/ldpd/ldp_zebra.c b/ldpd/ldp_zebra.c
index ecc7db8f2e..54c5af62a4 100644
--- a/ldpd/ldp_zebra.c
+++ b/ldpd/ldp_zebra.c
@@ -427,17 +427,18 @@ ldp_zebra_read_route(int command, struct zclient *zclient, zebra_size_t length,
 	case ZEBRA_REDISTRIBUTE_IPV4_ADD:
 	case ZEBRA_REDISTRIBUTE_IPV4_DEL:
 		kr.af = AF_INET;
+		kr.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
 		nhlen = sizeof(struct in_addr);
 		break;
 	case ZEBRA_REDISTRIBUTE_IPV6_ADD:
 	case ZEBRA_REDISTRIBUTE_IPV6_DEL:
 		kr.af = AF_INET6;
+		kr.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc(s));
 		nhlen = sizeof(struct in6_addr);
 		break;
 	default:
 		fatalx("ldp_zebra_read_route: unknown command");
 	}
-	kr.prefixlen = stream_getc(s);
 	stream_get(&kr.prefix, s, PSIZE(kr.prefixlen));
 
 	if (bad_addr(kr.af, &kr.prefix) ||
diff --git a/nhrpd/nhrp_route.c b/nhrpd/nhrp_route.c
index e9651adc54..5116ad068c 100644
--- a/nhrpd/nhrp_route.c
+++ b/nhrpd/nhrp_route.c
@@ -215,16 +215,17 @@ int nhrp_route_read(int cmd, struct zclient *zclient, zebra_size_t length, vrf_i
 	case ZEBRA_REDISTRIBUTE_IPV4_ADD:
 	case ZEBRA_REDISTRIBUTE_IPV4_DEL:
 		prefix.family = AF_INET;
+		prefix.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc(s));
 		break;
 	case ZEBRA_REDISTRIBUTE_IPV6_ADD:
 	case ZEBRA_REDISTRIBUTE_IPV6_DEL:
 		prefix.family = AF_INET6;
+		prefix.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc(s));
 		break;
 	default:
 		return -1;
 	}
 	afaddrlen = family2addrsize(prefix.family);
-	prefix.prefixlen = stream_getc(s);
 	stream_get(&prefix.u.val, s, PSIZE(prefix.prefixlen));
 
 	memset(&src_p, 0, sizeof(src_p));