From: Benoît Ganne <bganne@cisco.com>
Date: Mon, 17 Jun 2019 12:42:47 +0000 (+0200)
Subject: mpls: fix header offset overflow
X-Git-Tag: v20.01-rc0~378
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F74%2F20174%2F5;p=vpp.git

mpls: fix header offset overflow

rw_len (MPLS rewrite string length) is declared as unsigned but is used
as -rw_len with vlib_buffer_advance(), resulting in a wrong, huge
offset.

Type: fix
Fixes: 734d430f37251bc7e71d507983ee640ae1625fbe
Ticket: VPP-1705
Change-Id: I7357249f7e50b7d30fd61f5be4858a26e43df85d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---

diff --git a/src/vnet/mpls/mpls_output.c b/src/vnet/mpls/mpls_output.c
index 14018c1a38e..68577e711cc 100644
--- a/src/vnet/mpls/mpls_output.c
+++ b/src/vnet/mpls/mpls_output.c
@@ -78,12 +78,14 @@ mpls_output_inline (vlib_main_t * vm,
           ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
           vlib_buffer_t * p0;
-          u32 pi0, rw_len0, adj_index0, next0, error0;
+          u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
           ip_adjacency_t * adj1;
           mpls_unicast_header_t *hdr1;
           vlib_buffer_t * p1;
-          u32 pi1, rw_len1, adj_index1, next1, error1;
+          u32 pi1, adj_index1, next1, error1;
+          word rw_len1;
 
           /* Prefetch next iteration. */
           {
@@ -221,7 +223,8 @@ mpls_output_inline (vlib_main_t * vm,
 	  ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
 	  vlib_buffer_t * p0;
-	  u32 pi0, rw_len0, adj_index0, next0, error0;
+	  u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
 	  pi0 = to_next[0] = from[0];