zebra: fix buffer overflow

mac is only 6 bytes long and we shouldn't blindly copy unknown number of bytes into it. Fixes #9671. Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
author: Igor Ryzhov <iryzhov@nfware.com> 2021-09-28 15:44:51 +0300
committer: Igor Ryzhov <iryzhov@nfware.com> 2021-09-28 15:45:14 +0300
commit: b7c21fad11d19458ab62202e10401a954cba5e1c (patch)
tree: 875d5fe9a64fc98886a80e9fc6b1d259d96e0478 /zebra/rt_netlink.c
parent: 01236d7aa7dab0891fa25012f87bc1fe3bbcfe9b (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index e36f320ad9..ec2c09e680 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -3744,7 +3744,6 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
 	if (tb[NDA_LLADDR]) {
 		/* copy LLADDR information */
 		l2_len = RTA_PAYLOAD(tb[NDA_LLADDR]);
-		memcpy(&mac, RTA_DATA(tb[NDA_LLADDR]), l2_len);
 	}
 	if (l2_len == IPV4_MAX_BYTELEN || l2_len == 0) {
 		union sockunion link_layer_ipv4;
@@ -3752,7 +3751,7 @@ static int netlink_ipneigh_change(struct nlmsghdr *h, int len, ns_id_t ns_id)
 		if (l2_len) {
 			sockunion_family(&link_layer_ipv4) = AF_INET;
 			memcpy((void *)sockunion_get_addr(&link_layer_ipv4),
-			       &mac, l2_len);
+			       RTA_DATA(tb[NDA_LLADDR]), l2_len);
 		} else
 			sockunion_family(&link_layer_ipv4) = AF_UNSPEC;
 		zsend_nhrp_neighbor_notify(
author	Igor Ryzhov <iryzhov@nfware.com>	2021-09-28 15:44:51 +0300
committer	Igor Ryzhov <iryzhov@nfware.com>	2021-09-28 15:45:14 +0300
commit	b7c21fad11d19458ab62202e10401a954cba5e1c (patch)
tree	875d5fe9a64fc98886a80e9fc6b1d259d96e0478 /zebra/rt_netlink.c
parent	01236d7aa7dab0891fa25012f87bc1fe3bbcfe9b (diff)