fib: fix adj_get_rewrite()

It looks like this bug has been around forever: initially the rewrite
string was at the end of rw->data, so the correct thing to do would have
been to return rw->data + max_size - rw->data_size.
Then we moved the rewrite string at the beginning of the buffer, so we
should always return rw->data.
In any case, rw->data - rw->data_size is clearly wrong and will access
memory in the rewrite header or before it.

Type: fix
Fixes: b80c536e34b610ca77cd84448754e4bd9c46cf68

Change-Id: Ib6d1124776a3c20e718fc46d61190dec7cba31c3
Signed-off-by: Benoît Ganne <[email protected]>

diff --git a/src/vnet/adj/adj.c b/src/vnet/adj/adj.c
index 201561f..7a2e618 100644 (file)
--- a/src/vnet/adj/adj.c
+++ b/src/vnet/adj/adj.c
@@ -572,7 +572,7 @@ adj_get_rewrite (adj_index_t ai)
 
     ASSERT (rw->data_bytes != 0xfefe);
 
-    return (rw->data - rw->data_bytes);
+    return rw->data;
 }
 
 static fib_node_t *