summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-04-18 17:42:24 +0200
committerDamjan Marion <dmarion@me.com>2019-04-30 15:34:29 +0000
commit052bda38c34fa73f8d0ad86615b777a0dd7f34d0 (patch)
treeb066a0e0d9fea0e161b8ff6dd98fc21e5cfd2086
parentbe95444fbb31b875c2ab98cd330fdcb36027ced8 (diff)
vppinfra: fix buffer overflow in unformat_token
Change-Id: Ia60e4092c45c192002de064c362a9265bc9baeec Signed-off-by: Benoît Ganne <bganne@cisco.com>
-rw-r--r--src/vppinfra/unformat.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/vppinfra/unformat.c b/src/vppinfra/unformat.c
index da7622a90a8..52b8bb779bb 100644
--- a/src/vppinfra/unformat.c
+++ b/src/vppinfra/unformat.c
@@ -338,8 +338,14 @@ unformat_token (unformat_input_t * input, va_list * va)
clib_memset (map, 0, sizeof (map));
for (s = token_chars; *s;)
{
- /* Parse range. */
- if (s[0] < s[2] && s[1] == '-')
+ /*
+ * Parse range.
+ * The test order is important: s[1] is valid because s[0] != '\0' but
+ * s[2] might not if s[1] == '\0'
+ * Also, if s[1] == '-' but s[2] == '\0' the test s[0] < s[2] will
+ * (correctly) fail
+ */
+ if (s[1] == '-' && s[0] < s[2])
{
for (i = s[0]; i <= s[2]; i++)
map[i] = 1;