diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-02-07 13:21:42 +0100 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-02-07 19:11:22 +0000 |
commit | 3d0ef26a0285b9baa486c91b2e6609125a2bc651 (patch) | |
tree | 98cb2d1ed6e60751a08c3b15c012785d033e9f1d /src/vnet/ethernet/mac_address.c | |
parent | d4c49be5e20406220cf89083c9df86c3c0761a81 (diff) |
Fix parsing overflow in unformat_mac_address_t()
'%x' unformat specifier expects a pointer to a 4-byte object and will
overflow when using a pointer to a 1-byte object. Use '%X' instead which
allows to pass the size of the object alongside its pointer.
The bug was exposed with the following commands:
~# make run
DBGvpp# loop create
loop0
DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a
DBGvpp# show ip6 neigh
Time Address Flags Link layer Interface
35.7743 ::2 D 0a:0a:0a:0a:0a:0a loop0
^^^
wrong address: should be 3001::2
Note that the bug impact depends from the parsing order and memory
layout.
Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/ethernet/mac_address.c')
-rw-r--r-- | src/vnet/ethernet/mac_address.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/vnet/ethernet/mac_address.c b/src/vnet/ethernet/mac_address.c index eab7cef35a5..6f40e50efa2 100644 --- a/src/vnet/ethernet/mac_address.c +++ b/src/vnet/ethernet/mac_address.c @@ -39,9 +39,9 @@ unformat_mac_address_t (unformat_input_t * input, va_list * args) mac_address_t *mac = va_arg (*args, mac_address_t *); u32 i, a[3]; - if (unformat (input, "%_%x:%x:%x:%x:%x:%x%_", - &mac->bytes[0], &mac->bytes[1], &mac->bytes[2], - &mac->bytes[3], &mac->bytes[4], &mac->bytes[5])) + if (unformat (input, "%_%X:%X:%X:%X:%X:%X%_", + 1, &mac->bytes[0], 1, &mac->bytes[1], 1, &mac->bytes[2], + 1, &mac->bytes[3], 1, &mac->bytes[4], 1, &mac->bytes[5])) return (1); else if (unformat (input, "%_%x.%x.%x%_", &a[0], &a[1], &a[2])) { |