Gitiles
Code Review Sign In
gerrit.opencord.org / quagga / 2db962760426ddb9e266f9a4bc0b274584c819cc
commit2db962760426ddb9e266f9a4bc0b274584c819cc[log] [tgz]
authorPaul Jakma <paul.jakma@hpe.com>Mon Feb 08 14:46:28 2016 +0000
committerPaul Jakma <paul.jakma@hpe.com>Tue Mar 08 17:53:22 2016 +0000
tree406ea2dc4196e9904ab9832a7dae548f4cdcf91d
parent405e9e19eb6ce62fa4f3f39a1f73990db9e146b7 [diff]
lib: zclient can overflow (struct interface) hw_addr if zebra is evil

* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
  is used as trusted input to read off the hw_addr and write to the
  INTERFACE_HWADDR_MAX sized hw_addr field.  The read from the stream is
  bounds-checked by the stream abstraction, however the write out to the
  heap can not be.

  Tighten the supplied length to stream_get used to do the write.

  Impact: a malicious zebra can overflow the heap of clients using the ZServ
  IPC.  Note that zebra is already fairly trusted within Quagga.

Reported-by: Kostya Kortchinsky <kostyak@google.com>
1 file changed
tree: 406ea2dc4196e9904ab9832a7dae548f4cdcf91d
  1. .gitignore
  2. AUTHORS
  3. COPYING
  4. COPYING.LIB
  5. ChangeLog
  6. HACKING.md
  7. HACKING.pending
  8. INSTALL.quagga.txt
  9. Makefile.am
  10. NEWS
  11. README
  12. README.NetBSD
  13. REPORTING-BUGS
  14. SERVICES
  15. TODO
  16. bgpd/
  17. bootstrap.sh
  18. buildtest.sh
  19. configure.ac
  20. doc/
  21. fpm/
  22. gdb/
  23. init/
  24. isisd/
  25. lib/
  26. m4/
  27. ospf6d/
  28. ospfclient/
  29. ospfd/
  30. pimd/
  31. pkgsrc/
  32. ports/
  33. redhat/
  34. ripd/
  35. ripngd/
  36. solaris/
  37. stamp-h.in
  38. tests/
  39. tools/
  40. update-autotools
  41. vtysh/
  42. watchquagga/
  43. zebra/