From: Benoît Ganne <bganne@cisco.com>
Date: Tue, 9 Jul 2019 11:50:35 +0000 (+0200)
Subject: fib: fix urpf_itfs vector overflow
X-Git-Tag: v20.01-rc0~225
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=3f5ebed6ea3a024b7396afe81f895719a8286681;p=vpp.git

fib: fix urpf_itfs vector overflow

When removing duplicates in urpf_itfs vector we search for the 1st next
different entry in the vector, but the loop test is in the wrong order:
(urpf->furpf_itfs[i] == urpf->furpf_itfs[j]
  && j < vec_len(urpf->furpf_itfs))
We must check for overflow before checking equality.

Type: fix
Fixes: 3ee44040c66cbe47ff292ac7fb0badccbe2afe6d

Change-Id: I63729aff12057d5abce6c24ec24339cd9cd79494
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---

diff --git a/src/vnet/fib/fib_urpf_list.c b/src/vnet/fib/fib_urpf_list.c
index a895729e91a..bd225142a1d 100644
--- a/src/vnet/fib/fib_urpf_list.c
+++ b/src/vnet/fib/fib_urpf_list.c
@@ -132,8 +132,7 @@ static int
 fib_urpf_itf_cmp_for_sort (void * v1,
 			   void * v2)
 {
-    fib_node_index_t *i1 = v1, *i2 = v2;
-
+    const adj_index_t *i1 = v1, *i2 = v2;
     return (*i2 < *i1);
 }
 
@@ -151,49 +150,21 @@ fib_urpf_list_bake (index_t ui)
     ASSERT(!(urpf->furpf_flags & FIB_URPF_LIST_BAKED));
 
     if (vec_len(urpf->furpf_itfs) > 1)
-    {
-	u32 i,j;
-
-	/*
-	 * cat list | sort | uniq > rpf_list
-	 */
-	vec_sort_with_function(urpf->furpf_itfs, fib_urpf_itf_cmp_for_sort);
-
-	i = 0, j = 1;
-	while (j < vec_len(urpf->furpf_itfs))
-	{
-	    if (urpf->furpf_itfs[i] == urpf->furpf_itfs[j])
-	    {
-		/*
-		 * the itfacenct entries are the same.
-		 * search forward for a unique one
-		 */
-		while (urpf->furpf_itfs[i] == urpf->furpf_itfs[j] &&
-		       j < vec_len(urpf->furpf_itfs))
-		{
-		    j++;
-		}
-		if (j == vec_len(urpf->furpf_itfs))
-		{
-		    /*
-		     * ran off the end without finding a unique index.
-		     * we are done.
-		     */
-		    break;
-		}
-		else
-		{
-		    urpf->furpf_itfs[i+1] = urpf->furpf_itfs[j];
-		}
-	    }
-	    i++, j++;
-	}
-
-	/*
-	 * set the length of the vector to the number of unique itfs
-	 */
-	_vec_len(urpf->furpf_itfs) = i+1;
-    }
+      {
+        u32 i, j;
+        /*
+         * cat list | sort | uniq > rpf_list
+         */
+        /* sort */
+        vec_sort_with_function(urpf->furpf_itfs, fib_urpf_itf_cmp_for_sort);
+        /* remove duplicates */
+        i = 0;
+        for (j=1; j<vec_len(urpf->furpf_itfs); j++)
+          if (urpf->furpf_itfs[i] != urpf->furpf_itfs[j])
+            urpf->furpf_itfs[++i] = urpf->furpf_itfs[j];
+        /* set the length of the vector to the number of unique itfs */
+        _vec_len(urpf->furpf_itfs) = i+1;
+      }
 
     urpf->furpf_flags |= FIB_URPF_LIST_BAKED;
 }