diff options
| author | Doug VanLeuven <roamdad@sonic.net> | 2012-10-10 16:11:36 -0700 |
|---|---|---|
| committer | David Lamparter <equinox@opensourcerouting.org> | 2012-11-05 11:12:08 -0500 |
| commit | a05df8fd279e4af0f077de181fb6c4e7d7174267 (patch) | |
| tree | 3b29c8d00b70dfbf9f9ff8ab90c29b970d0aea33 /isisd/isis_spf.c | |
| parent | 3b33de676ac8e84b82f40520ecd0f4722e16b349 (diff) | |
zebra: kernel_socket: fix overflow in RTA_ADDR & RTA_ATTR
In zebra/kernel_socket.c, copying sockaddr from *_msghdr:
There are really 2 different lengths that need to be determined.
1) the length required to point to the next sockaddr in the mesg
buffer which might include any required padding and
2) the actual length of the sockaddr data that needs to be copied
into the destination field.
They may or may not be the same value.
Sizeof sockaddr_in6 is 28, which to pad for alignment purposes on 32
bit systems with a long of 4 bytes is evenly divided and requires
no padding. On 64 bit systems, with a long of 8 it is padded with 4
extra bytes.So the current RTA_* macros are copying 32 bytes into a 28
byte field on 64 bitsystems, where the field overflow did not occur
on the 32 bit systems.
Since using sa_len required the use of an #ifdef which couldn't be used
directly inside a #define, it made sense to move the copy into the
function to allow typdef checking throughout and eliminate the hack
to suppress compiler warnings.
Fixed declaration of cp in ifm_read after compiler noticed type mismatch.
Tested on 64bit OS X 10.7, FreeBSD 9.0 amd64 & i386 (32bit)
using gcc & clang
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Diffstat (limited to 'isisd/isis_spf.c')
0 files changed, 0 insertions, 0 deletions