From 052bda38c34fa73f8d0ad86615b777a0dd7f34d0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Ganne?= Date: Thu, 18 Apr 2019 17:42:24 +0200 Subject: [PATCH] vppinfra: fix buffer overflow in unformat_token MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Change-Id: Ia60e4092c45c192002de064c362a9265bc9baeec Signed-off-by: Benoît Ganne --- src/vppinfra/unformat.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/vppinfra/unformat.c b/src/vppinfra/unformat.c index da7622a90a8..52b8bb779bb 100644 --- a/src/vppinfra/unformat.c +++ b/src/vppinfra/unformat.c @@ -338,8 +338,14 @@ unformat_token (unformat_input_t * input, va_list * va) clib_memset (map, 0, sizeof (map)); for (s = token_chars; *s;) { - /* Parse range. */ - if (s[0] < s[2] && s[1] == '-') + /* + * Parse range. + * The test order is important: s[1] is valid because s[0] != '\0' but + * s[2] might not if s[1] == '\0' + * Also, if s[1] == '-' but s[2] == '\0' the test s[0] < s[2] will + * (correctly) fail + */ + if (s[1] == '-' && s[0] < s[2]) { for (i = s[0]; i <= s[2]; i++) map[i] = 1; -- 2.16.6