From c07005a0d853fb145a8c84cf4f631d4308fc751c Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Fri, 3 Jan 2020 20:26:09 -0500
Subject: [PATCH] zebra: disallow negative rtadv intvl, fix overflow

- Disallow RA interval < 0
- Fix integer overflow issue converting interval to seconds from
  milliseconds
- Add missing "m" to "ms"

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 zebra/rtadv.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/zebra/rtadv.c b/zebra/rtadv.c
index f3c78bc98f..785cf6e708 100644
--- a/zebra/rtadv.c
+++ b/zebra/rtadv.c
@@ -934,16 +934,25 @@ static void zebra_interface_radv_set(ZAPI_HANDLER_ARGS, int enable)
 	ifindex_t ifindex;
 	struct interface *ifp;
 	struct zebra_if *zif;
-	int ra_interval;
+	int ra_interval_rxd;
 
 	s = msg;
 
 	/* Get interface index and RA interval. */
 	STREAM_GETL(s, ifindex);
-	STREAM_GETL(s, ra_interval);
+	STREAM_GETL(s, ra_interval_rxd);
+
+	if (ra_interval_rxd < 0) {
+		zlog_warn(
+			"Requested RA interval %d is garbage; ignoring request",
+			ra_interval_rxd);
+		return;
+	}
+
+	unsigned int ra_interval = ra_interval_rxd;
 
 	if (IS_ZEBRA_DEBUG_EVENT)
-		zlog_debug("%u: IF %u RA %s from client %s, interval %ds",
+		zlog_debug("%u: IF %u RA %s from client %s, interval %ums",
 			   zvrf_id(zvrf), ifindex,
 			   enable ? "enable" : "disable",
 			   zebra_route_string(client->proto), ra_interval);
@@ -970,7 +979,7 @@ static void zebra_interface_radv_set(ZAPI_HANDLER_ARGS, int enable)
 		SET_FLAG(zif->rtadv.ra_configured, BGP_RA_CONFIGURED);
 		ipv6_nd_suppress_ra_set(ifp, RA_ENABLE);
 		if (ra_interval
-		    && (ra_interval * 1000) < zif->rtadv.MaxRtrAdvInterval
+		    && (ra_interval * 1000) < (unsigned int) zif->rtadv.MaxRtrAdvInterval
 		    && !CHECK_FLAG(zif->rtadv.ra_configured,
 				   VTY_RA_INTERVAL_CONFIGURED))
 			zif->rtadv.MaxRtrAdvInterval = ra_interval * 1000;
-- 
2.39.5