From c257e076211d0bff2547e1b67a62576bbdb2963e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Beno=C3=AEt=20Ganne?= <bganne@cisco.com>
Date: Mon, 17 Jun 2019 14:42:47 +0200
Subject: [PATCH] mpls: fix header offset overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

rw_len (MPLS rewrite string length) is declared as unsigned but is used
as -rw_len with vlib_buffer_advance(), resulting in a wrong, huge
offset.

Type: fix
Fixes: 734d430f37251bc7e71d507983ee640ae1625fbe
Ticket: VPP-1705
Change-Id: I7357249f7e50b7d30fd61f5be4858a26e43df85d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/vnet/mpls/mpls_output.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/vnet/mpls/mpls_output.c b/src/vnet/mpls/mpls_output.c
index 14018c1a38e..68577e711cc 100644
--- a/src/vnet/mpls/mpls_output.c
+++ b/src/vnet/mpls/mpls_output.c
@@ -78,12 +78,14 @@ mpls_output_inline (vlib_main_t * vm,
           ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
           vlib_buffer_t * p0;
-          u32 pi0, rw_len0, adj_index0, next0, error0;
+          u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
           ip_adjacency_t * adj1;
           mpls_unicast_header_t *hdr1;
           vlib_buffer_t * p1;
-          u32 pi1, rw_len1, adj_index1, next1, error1;
+          u32 pi1, adj_index1, next1, error1;
+          word rw_len1;
 
           /* Prefetch next iteration. */
           {
@@ -221,7 +223,8 @@ mpls_output_inline (vlib_main_t * vm,
 	  ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
 	  vlib_buffer_t * p0;
-	  u32 pi0, rw_len0, adj_index0, next0, error0;
+	  u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
 	  pi0 = to_next[0] = from[0];
 
-- 
2.16.6