diff options
| author | Paul Jakma <paul.jakma@hpe.com> | 2016-02-08 14:46:28 +0000 |
|---|---|---|
| committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2016-03-28 08:57:32 -0400 |
| commit | cbe0a6a1e9129cd754b36d8c31d8984ed15beaba (patch) | |
| tree | d7b38542478af458ef8047f9b07f76caff80ecfd /lib/command.c | |
| parent | 50905aa278dbbd85ec3583bf6c67e42c9da1f0eb (diff) | |
lib: zclient can overflow (struct interface) hw_addr if zebra is evil
* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
is used as trusted input to read off the hw_addr and write to the
INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is
bounds-checked by the stream abstraction, however the write out to the
heap can not be.
Tighten the supplied length to stream_get used to do the write.
Impact: a malicious zebra can overflow the heap of clients using the ZServ
IPC. Note that zebra is already fairly trusted within Quagga.
Reported-by: Kostya Kortchinsky <kostyak@google.com>
Diffstat (limited to 'lib/command.c')
0 files changed, 0 insertions, 0 deletions