diff options
| -rw-r--r-- | zebra/if_netlink.c | 12 | ||||
| -rw-r--r-- | zebra/rt_netlink.c | 18 |
2 files changed, 30 insertions, 0 deletions
diff --git a/zebra/if_netlink.c b/zebra/if_netlink.c index 8943b434d7..66e98e2e51 100644 --- a/zebra/if_netlink.c +++ b/zebra/if_netlink.c @@ -995,6 +995,12 @@ int netlink_interface_addr(struct nlmsghdr *h, ns_id_t ns_id, int startup) /* Register interface address to the interface. */ if (ifa->ifa_family == AF_INET) { + if (ifa->ifa_prefixlen > IPV4_MAX_BITLEN) { + zlog_err( + "Invalid prefix length: %u received from kernel interface addr change: %u", + ifa->ifa_prefixlen, h->nlmsg_type); + return -1; + } if (h->nlmsg_type == RTM_NEWADDR) connected_add_ipv4(ifp, flags, (struct in_addr *)addr, ifa->ifa_prefixlen, @@ -1005,6 +1011,12 @@ int netlink_interface_addr(struct nlmsghdr *h, ns_id_t ns_id, int startup) ifa->ifa_prefixlen, (struct in_addr *)broad); } if (ifa->ifa_family == AF_INET6) { + if (ifa->ifa_prefixlen > IPV6_MAX_BITLEN) { + zlog_err( + "Invalid prefix length: %u received from kernel interface addr change: %u", + ifa->ifa_prefixlen, h->nlmsg_type); + return -1; + } if (h->nlmsg_type == RTM_NEWADDR) { /* Only consider valid addresses; we'll not get a * notification from diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c index 80841b6ac1..5facfa5faa 100644 --- a/zebra/rt_netlink.c +++ b/zebra/rt_netlink.c @@ -384,6 +384,12 @@ static int netlink_route_change_read_unicast(struct nlmsghdr *h, ns_id_t ns_id, if (rtm->rtm_family == AF_INET) { p.family = AF_INET; + if (rtm->rtm_dst_len > IPV4_MAX_BITLEN) { + zlog_err( + "Invalid destination prefix length: %u received from kernel route change", + rtm->rtm_dst_len); + return -1; + } memcpy(&p.u.prefix4, dest, 4); p.prefixlen = rtm->rtm_dst_len; @@ -398,10 +404,22 @@ static int netlink_route_change_read_unicast(struct nlmsghdr *h, ns_id_t ns_id, src_p.prefixlen = 0; } else if (rtm->rtm_family == AF_INET6) { p.family = AF_INET6; + if (rtm->rtm_dst_len > IPV6_MAX_BITLEN) { + zlog_err( + "Invalid destination prefix length: %u received from kernel route change", + rtm->rtm_dst_len); + return -1; + } memcpy(&p.u.prefix6, dest, 16); p.prefixlen = rtm->rtm_dst_len; src_p.family = AF_INET6; + if (rtm->rtm_src_len > IPV6_MAX_BITLEN) { + zlog_err( + "Invalid source prefix length: %u received from kernel route change", + rtm->rtm_src_len); + return -1; + } memcpy(&src_p.prefix, src, 16); src_p.prefixlen = rtm->rtm_src_len; } |