Skip to content

Commit d2aeac3

Browse files
donaldsharpdonaldsharp
committed
ospfclient: Ensure ospf_apiclient_lsa_originate cannot accidently write into stack
Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
1 parent b8443f7 commit d2aeac3

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

ospfclient/ospf_apiclient.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
447447
return OSPF_API_ILLEGALLSATYPE;
448448
}
449449

450+
if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
451+
fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
452+
opaquelen, sizeof(buf));
453+
return OSPF_API_NOMEMORY;
454+
}
455+
450456
/* Make a new LSA from parameters */
451457
lsah = (struct lsa_header *)buf;
452458
lsah->ls_age = 0;

0 commit comments

Comments
 (0)