From cf0f13de2960b79b48aca72834764073f0f6d8e4 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 25 Nov 2020 09:49:28 -0500 Subject: [PATCH] ospfd: Prevent crash by accessing memory not owned. When allocating memory for the `struct ospf_metric` we were using `uint32_t` instead of the actual size of this structure. When we wrote to it we would be writing into other people's memory. Found-by: Amol Lad Signed-off-by: Donald Sharp --- ospfd/ospf_routemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ospfd/ospf_routemap.c b/ospfd/ospf_routemap.c index f9e11541fc..bdc65d23bf 100644 --- a/ospfd/ospf_routemap.c +++ b/ospfd/ospf_routemap.c @@ -416,7 +416,7 @@ static void *route_set_metric_compile(const char *arg) { struct ospf_metric *metric; - metric = XCALLOC(MTYPE_ROUTE_MAP_COMPILED, sizeof(uint32_t)); + metric = XCALLOC(MTYPE_ROUTE_MAP_COMPILED, sizeof(*metric)); metric->used = false; if (all_digit(arg)) -- 2.39.5