lib: zclient can overflow (struct interface) hw_addr if zebra is evil

* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field is used as trusted input to read off the hw_addr and write to the INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is bounds-checked by the stream abstraction, however the write out to the heap can not be. Tighten the supplied length to stream_get used to do the write. Impact: a malicious zebra can overflow the heap of clients using the ZServ IPC. Note that zebra is already fairly trusted within Quagga. Reported-by: Kostya Kortchinsky <kostyak@google.com>
author: Paul Jakma <paul.jakma@hpe.com> 2016-02-08 14:46:28 +0000
committer: Donald Sharp <sharpd@cumulusnetworks.com> 2016-03-28 08:57:32 -0400
commit: cbe0a6a1e9129cd754b36d8c31d8984ed15beaba (patch)
tree: d7b38542478af458ef8047f9b07f76caff80ecfd
parent: 50905aa278dbbd85ec3583bf6c67e42c9da1f0eb (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/zclient.c b/lib/zclient.c
index 5cd11fb347..c971bff6e2 100644
--- a/lib/zclient.c
+++ b/lib/zclient.c
@@ -1048,7 +1048,7 @@ zebra_interface_if_set_value (struct stream *s, struct interface *ifp)
 #else
   ifp->hw_addr_len = stream_getl (s);
   if (ifp->hw_addr_len)
-    stream_get (ifp->hw_addr, s, ifp->hw_addr_len);
+    stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX));
 #endif /* HAVE_STRUCT_SOCKADDR_DL */
 }
author	Paul Jakma <paul.jakma@hpe.com>	2016-02-08 14:46:28 +0000
committer	Donald Sharp <sharpd@cumulusnetworks.com>	2016-03-28 08:57:32 -0400
commit	cbe0a6a1e9129cd754b36d8c31d8984ed15beaba (patch)
tree	d7b38542478af458ef8047f9b07f76caff80ecfd
parent	50905aa278dbbd85ec3583bf6c67e42c9da1f0eb (diff)