From cafaac98e7424b649f34da78620a77ef0653c08b Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Fri, 17 Jul 2020 11:54:28 +0200
Subject: feature: fix feature config data initialization overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Copy only exactly the data provided by the user even when it is not a
4-bytes multiple.

Type: fix

Change-Id: I2ef987c37e58523a38b46b09227529db2c26aa55
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit c79a14f13a0db6f59123e0e6b0b71d4f24433b01)
---
 src/vnet/config.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/vnet/config.c b/src/vnet/config.c
index 9beda4a5706..73fed66d13a 100644
--- a/src/vnet/config.c
+++ b/src/vnet/config.c
@@ -267,11 +267,16 @@ vnet_config_add_feature (vlib_main_t * vm,
   f->feature_index = feature_index;
   f->node_index = node_index;
 
-  n_feature_config_u32s =
-    round_pow2 (n_feature_config_bytes,
-		sizeof (f->feature_config[0])) /
-    sizeof (f->feature_config[0]);
-  vec_add (f->feature_config, feature_config, n_feature_config_u32s);
+  if (n_feature_config_bytes)
+    {
+      n_feature_config_u32s =
+	round_pow2 (n_feature_config_bytes,
+		    sizeof (f->feature_config[0])) /
+	sizeof (f->feature_config[0]);
+      vec_validate (f->feature_config, n_feature_config_u32s - 1);
+      clib_memcpy_fast (f->feature_config, feature_config,
+			n_feature_config_bytes);
+    }
 
   /* Sort (prioritize) features. */
   if (vec_len (new_features) > 1)
-- 
cgit 1.2.3-korg