summaryrefslogtreecommitdiffstats
path: root/src/vnet/mpls
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2019-06-17 14:42:47 +0200
committerNeale Ranns <nranns@cisco.com>2019-06-19 06:52:45 +0000
commitc257e076211d0bff2547e1b67a62576bbdb2963e (patch)
treef3fcfb3b3f0c176d57bf4439723caede68233a18 /src/vnet/mpls
parentf867cf1656b5906fb112f9e60ff65e46f6e1719a (diff)
mpls: fix header offset overflow
rw_len (MPLS rewrite string length) is declared as unsigned but is used as -rw_len with vlib_buffer_advance(), resulting in a wrong, huge offset. Type: fix Fixes: 734d430f37251bc7e71d507983ee640ae1625fbe Ticket: VPP-1705 Change-Id: I7357249f7e50b7d30fd61f5be4858a26e43df85d Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet/mpls')
-rw-r--r--src/vnet/mpls/mpls_output.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/vnet/mpls/mpls_output.c b/src/vnet/mpls/mpls_output.c
index 14018c1a38e..68577e711cc 100644
--- a/src/vnet/mpls/mpls_output.c
+++ b/src/vnet/mpls/mpls_output.c
@@ -78,12 +78,14 @@ mpls_output_inline (vlib_main_t * vm,
ip_adjacency_t * adj0;
mpls_unicast_header_t *hdr0;
vlib_buffer_t * p0;
- u32 pi0, rw_len0, adj_index0, next0, error0;
+ u32 pi0, adj_index0, next0, error0;
+ word rw_len0;
ip_adjacency_t * adj1;
mpls_unicast_header_t *hdr1;
vlib_buffer_t * p1;
- u32 pi1, rw_len1, adj_index1, next1, error1;
+ u32 pi1, adj_index1, next1, error1;
+ word rw_len1;
/* Prefetch next iteration. */
{
@@ -221,7 +223,8 @@ mpls_output_inline (vlib_main_t * vm,
ip_adjacency_t * adj0;
mpls_unicast_header_t *hdr0;
vlib_buffer_t * p0;
- u32 pi0, rw_len0, adj_index0, next0, error0;
+ u32 pi0, adj_index0, next0, error0;
+ word rw_len0;
pi0 = to_next[0] = from[0];