Potential buffer overflow in ospf_apiclient_lsa_originate #11602
Labels
triage
Needs further investigation
Comments
donaldsharp
added a commit
to donaldsharp/frr
that referenced
this issue
Jul 21, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: FRRouting#11602 Signed-off-by: Donald Sharp <[email protected]>
donaldsharp
added a commit
to donaldsharp/frr
that referenced
this issue
Jul 22, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: FRRouting#11602 Signed-off-by: Donald Sharp <[email protected]>
mergify bot
pushed a commit
that referenced
this issue
Oct 7, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit d2aeac3)
mergify bot
pushed a commit
that referenced
this issue
Oct 7, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit d2aeac3)
mergify bot
pushed a commit
that referenced
this issue
Oct 7, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit d2aeac3)
donaldsharp
added a commit
to donaldsharp/frr
that referenced
this issue
Oct 10, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: FRRouting#11602 Signed-off-by: Donald Sharp <[email protected]>
polychaeta
pushed a commit
that referenced
this issue
Oct 11, 2022
…te into stack Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound on what can be written into a lsa, let's add a small check to ensure it is not possible to do a bad thing. This wins one of the long standing bug awards. 2003! Fixes: #11602 Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit d2aeac3)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the file
ospfclient/ospf_apiclient.c, the functionospf_apiclient_lsa_originatehas the following code:When passing a large value for
opaquelen, thememcpycan cause a buffer overflow tobuf. I think even if this api is intended to be used internally, it is still better to check that copy fromopaquedatawill not overflowbuf.The text was updated successfully, but these errors were encountered: