lib: zclient can overflow (struct interface) hw_addr if zebra is evil * lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field is used as trusted input to read off the hw_addr and write to the INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is bounds-checked by the stream abstraction, however the write out to the heap can not be. Tighten the supplied length to stream_get used to do the write. Impact: a malicious zebra can overflow the heap of clients using the ZServ IPC. Note that zebra is already fairly trusted within Quagga. Reported-by: Kostya Kortchinsky <kostyak@google.com>

commit: 2db962760426ddb9e266f9a4bc0b274584c819cc [log] [tgz]
author: Paul Jakma <paul.jakma@hpe.com> Mon Feb 08 14:46:28 2016 +0000
committer: Paul Jakma <paul.jakma@hpe.com> Tue Mar 08 17:53:22 2016 +0000
tree: 406ea2dc4196e9904ab9832a7dae548f4cdcf91d
parent: 405e9e19eb6ce62fa4f3f39a1f73990db9e146b7 [diff]
diff --git a/lib/zclient.c b/lib/zclient.c
index 9188c01..610008b 100644
--- a/lib/zclient.c
+++ b/lib/zclient.c

@@ -794,7 +794,7 @@
   ifp->ll_type = stream_getl (s);
   ifp->hw_addr_len = stream_getl (s);
   if (ifp->hw_addr_len)
-    stream_get (ifp->hw_addr, s, ifp->hw_addr_len);
+    stream_get (ifp->hw_addr, s, MIN(ifp->hw_addr_len, INTERFACE_HWADDR_MAX));
 }
 
 static int
commit	2db962760426ddb9e266f9a4bc0b274584c819cc	[log] [tgz]
author	Paul Jakma <paul.jakma@hpe.com>	Mon Feb 08 14:46:28 2016 +0000
committer	Paul Jakma <paul.jakma@hpe.com>	Tue Mar 08 17:53:22 2016 +0000
tree	406ea2dc4196e9904ab9832a7dae548f4cdcf91d
parent	405e9e19eb6ce62fa4f3f39a1f73990db9e146b7 [diff]