diff options
| author | Martin Buck <mb-tmp-tvguho.pbz@gromit.dyndns.org> | 2021-01-29 16:40:04 +0100 |
|---|---|---|
| committer | Martin Buck <mb-tmp-tvguho.pbz@gromit.dyndns.org> | 2021-01-29 19:38:17 +0100 |
| commit | 100f2989b351d337a28742a69e82e4b4b5e16ba0 (patch) | |
| tree | 1d35a9927eb82b60e109cde29c4b8887bb605ad2 /zebra/debug.c | |
| parent | ecf497baeda77bfd040818c7bd2ad412cac76d66 (diff) | |
ospf6d: Fix LSA formatting out-of-bounds access
Check whether full struct ospf6_router_lsdesc/ospf6_prefix is accessible
before accessing its contents. Previously, we only checked for the first
byte in ospf6_router_lsa_get_nbr_id() or not even that (due to an additional
off-by-one error) in ospf6_link_lsa_get_prefix_str() and
ospf6_intra_prefix_lsa_get_prefix_str().
Also check *before* accessing the first prefix instead of starting the
checks only at the 2nd prefix.
The previous code could cause out-of-bounds accesses with valid LSAs in case
of ospf6_link_lsa_get_prefix_str() and
ospf6_intra_prefix_lsa_get_prefix_str() and with specially crafted LSAs
(bad length field) in case of ospf6_router_lsa_get_nbr_id().
Signed-off-by: Martin Buck <mb-tmp-tvguho.pbz@gromit.dyndns.org>
Diffstat (limited to 'zebra/debug.c')
0 files changed, 0 insertions, 0 deletions