diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-02-07 13:21:42 +0100 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-02-07 19:11:22 +0000 |
commit | 3d0ef26a0285b9baa486c91b2e6609125a2bc651 (patch) | |
tree | 98cb2d1ed6e60751a08c3b15c012785d033e9f1d /src/vnet/gre/gre_api.c | |
parent | d4c49be5e20406220cf89083c9df86c3c0761a81 (diff) |
Fix parsing overflow in unformat_mac_address_t()
'%x' unformat specifier expects a pointer to a 4-byte object and will
overflow when using a pointer to a 1-byte object. Use '%X' instead which
allows to pass the size of the object alongside its pointer.
The bug was exposed with the following commands:
~# make run
DBGvpp# loop create
loop0
DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a
DBGvpp# show ip6 neigh
Time Address Flags Link layer Interface
35.7743 ::2 D 0a:0a:0a:0a:0a:0a loop0
^^^
wrong address: should be 3001::2
Note that the bug impact depends from the parsing order and memory
layout.
Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/gre/gre_api.c')
0 files changed, 0 insertions, 0 deletions