ip: fix show ip neigh vector read overflow

Both format_ethernet_arp_ip4_entry() and format_ip6_neighbor_ip6_entry()
used %s to format flags which is a vector and not a null-terminated
C-string.
Introduce format_ip_neighbor_flags() instead.

Type: fix
Fixes: 102ec52bc4

Change-Id: I0c9349fefbeb76471933de358acceb50512a21aa
Signed-off-by: Benoît Ganne <bganne@cisco.com>

3 files changed, 30 insertions, 38 deletions

diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c
index c7e27ffbae7..edf7656f1cb 100644
--- a/src/vnet/ethernet/arp.c
+++ b/src/vnet/ethernet/arp.c
@@ -264,7 +264,6 @@ format_ethernet_arp_ip4_entry (u8 * s, va_list * va)
   vnet_main_t *vnm = va_arg (*va, vnet_main_t *);
   ethernet_arp_ip4_entry_t *e = va_arg (*va, ethernet_arp_ip4_entry_t *);
   vnet_sw_interface_t *si;
-  u8 *flags = 0;
 
   if (!e)
     return format (s, "%=12s%=16s%=6s%=20s%=24s", "Time", "IP4",
@@ -272,24 +271,12 @@ format_ethernet_arp_ip4_entry (u8 * s, va_list * va)
 
   si = vnet_get_sw_interface (vnm, e->sw_if_index);
 
-  if (e->flags & IP_NEIGHBOR_FLAG_STATIC)
-    flags = format (flags, "S");
-
-  if (e->flags & IP_NEIGHBOR_FLAG_DYNAMIC)
-    flags = format (flags, "D");
-
-  if (e->flags & IP_NEIGHBOR_FLAG_NO_FIB_ENTRY)
-    flags = format (flags, "N");
-
-  s = format (s, "%=12U%=16U%=6s%=20U%U",
-	      format_vlib_time, vnm->vlib_main, e->time_last_updated,
-	      format_ip4_address, &e->ip4_address,
-	      flags ? (char *) flags : "",
-	      format_mac_address_t, &e->mac,
-	      format_vnet_sw_interface_name, vnm, si);
-
-  vec_free (flags);
-  return s;
+  return format (s, "%=12U%=16U%=6U%=20U%U",
+		 format_vlib_time, vnm->vlib_main, e->time_last_updated,
+		 format_ip4_address, &e->ip4_address,
+		 format_ip_neighbor_flags, e->flags,
+		 format_mac_address_t, &e->mac,
+		 format_vnet_sw_interface_name, vnm, si);
 }
 
 typedef struct
diff --git a/src/vnet/ip/ip6_neighbor.c b/src/vnet/ip/ip6_neighbor.c
index c332b2c1bc9..071d3eb6673 100644
--- a/src/vnet/ip/ip6_neighbor.c
+++ b/src/vnet/ip/ip6_neighbor.c
@@ -342,31 +342,19 @@ format_ip6_neighbor_ip6_entry (u8 * s, va_list * va)
   ip6_neighbor_t *n = va_arg (*va, ip6_neighbor_t *);
   vnet_main_t *vnm = vnet_get_main ();
   vnet_sw_interface_t *si;
-  u8 *flags = 0;
 
   if (!n)
     return format (s, "%=12s%=45s%=6s%=20s%=40s", "Time", "Address", "Flags",
 		   "Link layer", "Interface");
 
-  if (n->flags & IP_NEIGHBOR_FLAG_DYNAMIC)
-    flags = format (flags, "D");
-
-  if (n->flags & IP_NEIGHBOR_FLAG_STATIC)
-    flags = format (flags, "S");
-
-  if (n->flags & IP_NEIGHBOR_FLAG_NO_FIB_ENTRY)
-    flags = format (flags, "N");
-
   si = vnet_get_sw_interface (vnm, n->key.sw_if_index);
-  s = format (s, "%=12U%=45U%=6s%=20U%=40U",
-	      format_vlib_time, vm, n->time_last_updated,
-	      format_ip6_address, &n->key.ip6_address,
-	      flags ? (char *) flags : "",
-	      format_mac_address_t, &n->mac,
-	      format_vnet_sw_interface_name, vnm, si);
-
-  vec_free (flags);
-  return s;
+
+  return format (s, "%=12U%=45U%=6U%=20U%=40U",
+		 format_vlib_time, vm, n->time_last_updated,
+		 format_ip6_address, &n->key.ip6_address,
+		 format_ip_neighbor_flags, n->flags,
+		 format_mac_address_t, &n->mac,
+		 format_vnet_sw_interface_name, vnm, si);
 }
 
 static void
diff --git a/src/vnet/ip/ip_neighbor.c b/src/vnet/ip/ip_neighbor.c
index ad89d3ff679..bd0144101ed 100644
--- a/src/vnet/ip/ip_neighbor.c
+++ b/src/vnet/ip/ip_neighbor.c
@@ -47,6 +47,23 @@ typedef struct
 
 static ip_neighbor_scan_config_t ip_neighbor_scan_conf;
 
+u8 *
+format_ip_neighbor_flags (u8 * s, va_list * args)
+{
+  const ip_neighbor_flags_t flags = va_arg (*args, int);
+
+  if (flags & IP_NEIGHBOR_FLAG_STATIC)
+    s = format (s, "S");
+
+  if (flags & IP_NEIGHBOR_FLAG_DYNAMIC)
+    s = format (s, "D");
+
+  if (flags & IP_NEIGHBOR_FLAG_NO_FIB_ENTRY)
+    s = format (s, "N");
+
+  return s;
+}
+
 int
 ip_neighbor_add (const ip46_address_t * ip,
 		 ip46_type_t type,