diff options
author | Benoît Ganne <bganne@cisco.com> | 2019-06-17 14:42:47 +0200 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-06-19 06:52:45 +0000 |
commit | c257e076211d0bff2547e1b67a62576bbdb2963e (patch) | |
tree | f3fcfb3b3f0c176d57bf4439723caede68233a18 /src/vnet | |
parent | f867cf1656b5906fb112f9e60ff65e46f6e1719a (diff) |
mpls: fix header offset overflow
rw_len (MPLS rewrite string length) is declared as unsigned but is used
as -rw_len with vlib_buffer_advance(), resulting in a wrong, huge
offset.
Type: fix
Fixes: 734d430f37251bc7e71d507983ee640ae1625fbe
Ticket: VPP-1705
Change-Id: I7357249f7e50b7d30fd61f5be4858a26e43df85d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/mpls/mpls_output.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/vnet/mpls/mpls_output.c b/src/vnet/mpls/mpls_output.c index 14018c1a38e..68577e711cc 100644 --- a/src/vnet/mpls/mpls_output.c +++ b/src/vnet/mpls/mpls_output.c @@ -78,12 +78,14 @@ mpls_output_inline (vlib_main_t * vm, ip_adjacency_t * adj0; mpls_unicast_header_t *hdr0; vlib_buffer_t * p0; - u32 pi0, rw_len0, adj_index0, next0, error0; + u32 pi0, adj_index0, next0, error0; + word rw_len0; ip_adjacency_t * adj1; mpls_unicast_header_t *hdr1; vlib_buffer_t * p1; - u32 pi1, rw_len1, adj_index1, next1, error1; + u32 pi1, adj_index1, next1, error1; + word rw_len1; /* Prefetch next iteration. */ { @@ -221,7 +223,8 @@ mpls_output_inline (vlib_main_t * vm, ip_adjacency_t * adj0; mpls_unicast_header_t *hdr0; vlib_buffer_t * p0; - u32 pi0, rw_len0, adj_index0, next0, error0; + u32 pi0, adj_index0, next0, error0; + word rw_len0; pi0 = to_next[0] = from[0]; |