Potential buffer overflow in ospf_apiclient_lsa_originate #11602
Description
In the file ospfclient/ospf_apiclient.c, the function ospf_apiclient_lsa_originate has the following code:
int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
struct in_addr ifaddr, struct in_addr area_id,
uint8_t lsa_type, uint8_t opaque_type,
uint32_t opaque_id, void *opaquedata,
int opaquelen) {
uint8_t buf[OSPF_MAX_LSA_SIZE];
struct lsa_header *lsah;
...
lsah = (struct lsa_header *)buf;
...
memcpy(((uint8_t *)lsah) + sizeof(struct lsa_header), opaquedata,
opaquelen);
}
When passing a large value for opaquelen, the memcpy can cause a buffer overflow to buf. I think even if this api is intended to be used internally, it is still better to check that copy from opaquedata will not overflow buf.