matthieu/frr
1
0
Fork 0
forked from Mirror/frr
Code Pull requests Activity

ospf6d: Ensure that ospf6d does not memcpy beyond end of data

Browse source 
Ensure that received data size can fit into temp variable
that is used to dump data.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
This commit is contained in:
Donald Sharp 2022-06-22 08:24:03 -04:00
parent 75700af602
commit d9529c9fb1
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ospf6d/ospf6_auth_trailer.c
View file

@ -120,7 +120,13 @@ void ospf6_auth_hdr_dump_recv(struct ospf6_header *ospfh, uint16_t length,
ospf6_at_hdr = ospf6_at_hdr =
(struct ospf6_auth_hdr *)((uint8_t *)ospfh + oh_len); (struct ospf6_auth_hdr *)((uint8_t *)ospfh + oh_len);
at_hdr_len = ntohs(ospf6_at_hdr->length); at_hdr_len = ntohs(ospf6_at_hdr->length);
hash_len = at_hdr_len - OSPF6_AUTH_HDR_MIN_SIZE; hash_len = at_hdr_len - (uint16_t)OSPF6_AUTH_HDR_MIN_SIZE;
if (hash_len > KEYCHAIN_MAX_HASH_SIZE) {
zlog_debug(
"Specified value for hash_len %u is greater than expected %u",
hash_len, KEYCHAIN_MAX_HASH_SIZE);
return;
}
memcpy(temp, ospf6_at_hdr->data, hash_len); memcpy(temp, ospf6_at_hdr->data, hash_len);
temp[hash_len] = '\0'; temp[hash_len] = '\0';
zlog_debug("OSPF6 Authentication Trailer"); zlog_debug("OSPF6 Authentication Trailer");