From: Benoît Ganne <bganne@cisco.com>
Date: Thu, 7 Feb 2019 12:21:42 +0000 (+0100)
Subject: Fix parsing overflow in unformat_mac_address_t()
X-Git-Tag: v19.04-rc1~510
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=3d0ef26a0285b9baa486c91b2e6609125a2bc651;hp=3d0ef26a0285b9baa486c91b2e6609125a2bc651;p=vpp.git

Fix parsing overflow in unformat_mac_address_t()

'%x' unformat specifier expects a pointer to a 4-byte object and will
overflow when using a pointer to a 1-byte object. Use '%X' instead which
allows to pass the size of the object alongside its pointer.

The bug was exposed with the following commands:
~# make run
DBGvpp# loop create
loop0
DBGvpp# set ip6 neigh loop0 3001::2 a:a:a:a:a:a
DBGvpp# show ip6 neigh
Time     Address  Flags  Link layer         Interface
35.7743  ::2      D      0a:0a:0a:0a:0a:0a  loop0
         ^^^
  wrong address: should be 3001::2
Note that the bug impact depends from the parsing order and memory
layout.

Change-Id: I29ba2eb53ba5a2daf4517215602d027508e2cb9f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---