summaryrefslogtreecommitdiffstats
path: root/src/vnet/ethernet
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-02-07 13:21:42 +0100
committerFlorin Coras <florin.coras@gmail.com>2019-02-07 19:11:22 +0000
commit3d0ef26a0285b9baa486c91b2e6609125a2bc651 (patch)
tree98cb2d1ed6e60751a08c3b15c012785d033e9f1d /src/vnet/ethernet
parentd4c49be5e20406220cf89083c9df86c3c0761a81 (diff)
Fix parsing overflow in unformat_mac_address_t()
'%x' unformat specifier expects a pointer to a 4-byte object and will overflow when using a pointer to a 1-byte object. Use '%X' instead which allows to pass the size of the object alongside its pointer. The bug was exposed with the following commands: ~# make run DBGvpp# loop create loop0 DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a DBGvpp# show ip6 neigh Time Address Flags Link layer Interface 35.7743 ::2 D 0a:0a:0a:0a:0a:0a loop0 ^^^ wrong address: should be 3001::2 Note that the bug impact depends from the parsing order and memory layout. Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/ethernet')
-rw-r--r--src/vnet/ethernet/mac_address.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/vnet/ethernet/mac_address.c b/src/vnet/ethernet/mac_address.c
index eab7cef35a5..6f40e50efa2 100644
--- a/src/vnet/ethernet/mac_address.c
+++ b/src/vnet/ethernet/mac_address.c
@@ -39,9 +39,9 @@ unformat_mac_address_t (unformat_input_t * input, va_list * args)
mac_address_t *mac = va_arg (*args, mac_address_t *);
u32 i, a[3];
- if (unformat (input, "%_%x:%x:%x:%x:%x:%x%_",
- &mac->bytes[0], &mac->bytes[1], &mac->bytes[2],
- &mac->bytes[3], &mac->bytes[4], &mac->bytes[5]))
+ if (unformat (input, "%_%X:%X:%X:%X:%X:%X%_",
+ 1, &mac->bytes[0], 1, &mac->bytes[1], 1, &mac->bytes[2],
+ 1, &mac->bytes[3], 1, &mac->bytes[4], 1, &mac->bytes[5]))
return (1);
else if (unformat (input, "%_%x.%x.%x%_", &a[0], &a[1], &a[2]))
{