From cbe0a6a1e9129cd754b36d8c31d8984ed15beaba Mon Sep 17 00:00:00 2001 From: Paul Jakma Date: Mon, 8 Feb 2016 14:46:28 +0000 Subject: [PATCH] lib: zclient can overflow (struct interface) hw_addr if zebra is evil * lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field is used as trusted input to read off the hw_addr and write to the INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is bounds-checked by the stream abstraction, however the write out to the heap can not be. Tighten the supplied length to stream_get used to do the write. Impact: a malicious zebra can overflow the heap of clients using the ZServ IPC. Note that zebra is already fairly trusted within Quagga. Reported-by: Kostya Kortchinsky --- lib/zclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/zclient.c b/lib/zclient.c index 5cd11fb347..c971bff6e2 100644 --- a/lib/zclient.c +++ b/lib/zclient.c @@ -1048,7 +1048,7 @@ zebra_interface_if_set_value (struct stream *s, struct interface *ifp) #else ifp->hw_addr_len = stream_getl (s); if (ifp->hw_addr_len) - stream_get (ifp->hw_addr, s, ifp->hw_addr_len); + stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX)); #endif /* HAVE_STRUCT_SOCKADDR_DL */ } -- 2.39.5