summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ah_encrypt.c
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-02-07 13:21:42 +0100
committerFlorin Coras <florin.coras@gmail.com>2019-02-07 19:11:22 +0000
commit3d0ef26a0285b9baa486c91b2e6609125a2bc651 (patch)
tree98cb2d1ed6e60751a08c3b15c012785d033e9f1d /src/vnet/ipsec/ah_encrypt.c
parentd4c49be5e20406220cf89083c9df86c3c0761a81 (diff)
Fix parsing overflow in unformat_mac_address_t()
'%x' unformat specifier expects a pointer to a 4-byte object and will overflow when using a pointer to a 1-byte object. Use '%X' instead which allows to pass the size of the object alongside its pointer. The bug was exposed with the following commands: ~# make run DBGvpp# loop create loop0 DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a DBGvpp# show ip6 neigh Time Address Flags Link layer Interface 35.7743 ::2 D 0a:0a:0a:0a:0a:0a loop0 ^^^ wrong address: should be 3001::2 Note that the bug impact depends from the parsing order and memory layout. Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ah_encrypt.c')
0 files changed, 0 insertions, 0 deletions