diff options
| author | Donald Sharp <sharpd@cumulusnetworks.com> | 2019-11-19 19:36:19 -0500 |
|---|---|---|
| committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2019-11-19 20:30:24 -0500 |
| commit | b1945363fbfcefe9029253c611394e9f6967de7c (patch) | |
| tree | a3b37d6a6390f4a8d5d9ceeb4e93a41ed7b04d73 /zebra/zebra_router.c | |
| parent | 1d696edbde7cce40f75eeddf473b0b5a5f1974ba (diff) | |
pimd: Various buffer overflow reads and crashes
A variety of buffer overflow reads and crashes
that could occur if you fed bad info into pim.
1) When type is setup incorrectly we were printing the first 8 bytes
of the pim_parse_addr_source, but the min encoding length is
4 bytes. As such we will read beyond end of buffer.
2) The RP(pim, grp) macro can return a NULL value
Do not automatically assume that we can deref
the data.
3) BSM parsing was not properly sanitizing data input from wire
and we could enter into situations where we would read beyond
the end of the buffer. Prevent this from happening, we are
probably left in a bad way.
4) The received bit length cannot be greater than 32 bits,
refuse to allow it to happen.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Diffstat (limited to 'zebra/zebra_router.c')
0 files changed, 0 insertions, 0 deletions