Fix parsing overflow in unformat_mac_address_t() - vpp

diff options

author	Benoît Ganne <bganne@cisco.com>	2019-02-07 13:21:42 +0100
committer	Florin Coras <florin.coras@gmail.com>	2019-02-07 19:11:22 +0000
commit	3d0ef26a0285b9baa486c91b2e6609125a2bc651 (patch)
tree	98cb2d1ed6e60751a08c3b15c012785d033e9f1d /src/vnet/ipsec/ipsec_if.c
parent	d4c49be5e20406220cf89083c9df86c3c0761a81 (diff)

Fix parsing overflow in unformat_mac_address_t()

'%x' unformat specifier expects a pointer to a 4-byte object and will overflow when using a pointer to a 1-byte object. Use '%X' instead which allows to pass the size of the object alongside its pointer. The bug was exposed with the following commands: ~# make run DBGvpp# loop create loop0 DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a DBGvpp# show ip6 neigh Time Address Flags Link layer Interface 35.7743 ::2 D 0a:0a:0a:0a:0a:0a loop0 ^^^ wrong address: should be 3001::2 Note that the bug impact depends from the parsing order and memory layout. Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f Signed-off-by: Benoît Ganne <bganne@cisco.com>

Diffstat (limited to 'src/vnet/ipsec/ipsec_if.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: