From a74e593b3545374a9021f8264152dba42e08323a Mon Sep 17 00:00:00 2001 From: Renato Westphal Date: Thu, 21 Sep 2017 09:49:31 -0300 Subject: *: fix segfault when sending more than MULTIPATH_NUM nexthops This is a fallout from PR #1022 (zapi consolidation). In the early days, the client daemons would allocate enough memory to send all nexthops to zebra. Then zebra would add all nexthops to the RIB and respect MULTIPATH_NUM only when installing the routes in the kernel. Now things are different and the client daemons can send at most MULTIPATH_NUM nexthops to zebra, and failure to respect that will result in a buffer overflow. The MULTIPATH_NUM limit in the new zebra API is a small price we pay to avoid allocating memory for each route sent to zebra. Signed-off-by: Renato Westphal --- ospfd/ospf_zebra.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'ospfd/ospf_zebra.c') diff --git a/ospfd/ospf_zebra.c b/ospfd/ospf_zebra.c index e26a33c35f..9bba2c9806 100644 --- a/ospfd/ospf_zebra.c +++ b/ospfd/ospf_zebra.c @@ -349,7 +349,6 @@ void ospf_zebra_add(struct prefix_ipv4 *p, struct ospf_route * or) memcpy(&api.prefix, p, sizeof(*p)); SET_FLAG(api.message, ZAPI_MESSAGE_NEXTHOP); - api.nexthop_num = or->paths->count; /* Metric value. */ SET_FLAG(api.message, ZAPI_MESSAGE_METRIC); @@ -377,6 +376,8 @@ void ospf_zebra_add(struct prefix_ipv4 *p, struct ospf_route * or) /* Nexthop, ifindex, distance and metric information. */ for (ALL_LIST_ELEMENTS_RO(or->paths, node, path)) { + if (count >= MULTIPATH_NUM) + break; api_nh = &api.nexthops[count]; #ifdef HAVE_NETLINK if (path->unnumbered || (path->nexthop.s_addr != INADDR_ANY @@ -407,6 +408,7 @@ void ospf_zebra_add(struct prefix_ipv4 *p, struct ospf_route * or) path->ifindex); } } + api.nexthop_num = count; zclient_route_send(ZEBRA_ROUTE_ADD, zclient, &api); } -- cgit v1.2.3