From 3f5ebed6ea3a024b7396afe81f895719a8286681 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Ganne?= Date: Tue, 9 Jul 2019 13:50:35 +0200 Subject: [PATCH] fib: fix urpf_itfs vector overflow MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When removing duplicates in urpf_itfs vector we search for the 1st next different entry in the vector, but the loop test is in the wrong order: (urpf->furpf_itfs[i] == urpf->furpf_itfs[j] && j < vec_len(urpf->furpf_itfs)) We must check for overflow before checking equality. Type: fix Fixes: 3ee44040c66cbe47ff292ac7fb0badccbe2afe6d Change-Id: I63729aff12057d5abce6c24ec24339cd9cd79494 Signed-off-by: Benoît Ganne --- src/vnet/fib/fib_urpf_list.c | 61 ++++++++++++-------------------------------- 1 file changed, 16 insertions(+), 45 deletions(-) diff --git a/src/vnet/fib/fib_urpf_list.c b/src/vnet/fib/fib_urpf_list.c index a895729e91a..bd225142a1d 100644 --- a/src/vnet/fib/fib_urpf_list.c +++ b/src/vnet/fib/fib_urpf_list.c @@ -132,8 +132,7 @@ static int fib_urpf_itf_cmp_for_sort (void * v1, void * v2) { - fib_node_index_t *i1 = v1, *i2 = v2; - + const adj_index_t *i1 = v1, *i2 = v2; return (*i2 < *i1); } @@ -151,49 +150,21 @@ fib_urpf_list_bake (index_t ui) ASSERT(!(urpf->furpf_flags & FIB_URPF_LIST_BAKED)); if (vec_len(urpf->furpf_itfs) > 1) - { - u32 i,j; - - /* - * cat list | sort | uniq > rpf_list - */ - vec_sort_with_function(urpf->furpf_itfs, fib_urpf_itf_cmp_for_sort); - - i = 0, j = 1; - while (j < vec_len(urpf->furpf_itfs)) - { - if (urpf->furpf_itfs[i] == urpf->furpf_itfs[j]) - { - /* - * the itfacenct entries are the same. - * search forward for a unique one - */ - while (urpf->furpf_itfs[i] == urpf->furpf_itfs[j] && - j < vec_len(urpf->furpf_itfs)) - { - j++; - } - if (j == vec_len(urpf->furpf_itfs)) - { - /* - * ran off the end without finding a unique index. - * we are done. - */ - break; - } - else - { - urpf->furpf_itfs[i+1] = urpf->furpf_itfs[j]; - } - } - i++, j++; - } - - /* - * set the length of the vector to the number of unique itfs - */ - _vec_len(urpf->furpf_itfs) = i+1; - } + { + u32 i, j; + /* + * cat list | sort | uniq > rpf_list + */ + /* sort */ + vec_sort_with_function(urpf->furpf_itfs, fib_urpf_itf_cmp_for_sort); + /* remove duplicates */ + i = 0; + for (j=1; jfurpf_itfs); j++) + if (urpf->furpf_itfs[i] != urpf->furpf_itfs[j]) + urpf->furpf_itfs[++i] = urpf->furpf_itfs[j]; + /* set the length of the vector to the number of unique itfs */ + _vec_len(urpf->furpf_itfs) = i+1; + } urpf->furpf_flags |= FIB_URPF_LIST_BAKED; } -- 2.16.6