diff options
| author | Donald Sharp <sharpd@nvidia.com> | 2022-07-20 16:43:17 -0400 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2022-07-22 13:17:58 -0400 |
| commit | d2aeac38708d93fb028d6a53e6eea317f0c06d1b (patch) | |
| tree | dabaec3c151239d6da7ce7f32b79d439278f6de4 | |
| parent | b8443f7ad39ce0429f53c286d04a84b6faaeef83 (diff) | |
ospfclient: Ensure ospf_apiclient_lsa_originate cannot accidently write into stack
Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound
on what can be written into a lsa, let's add a small check to ensure
it is not possible to do a bad thing.
This wins one of the long standing bug awards. 2003!
Fixes: #11602
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
| -rw-r--r-- | ospfclient/ospf_apiclient.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c index e84c6f5b3c..41f0b25b91 100644 --- a/ospfclient/ospf_apiclient.c +++ b/ospfclient/ospf_apiclient.c @@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient, return OSPF_API_ILLEGALLSATYPE; } + if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) { + fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n", + opaquelen, sizeof(buf)); + return OSPF_API_NOMEMORY; + } + /* Make a new LSA from parameters */ lsah = (struct lsa_header *)buf; lsah->ls_age = 0; |