vppinfra: fix buffer overflow in unformat_token

author Benoît Ganne <bganne@cisco.com>

Thu, 18 Apr 2019 15:42:24 +0000 (17:42 +0200)

committer Damjan Marion <dmarion@me.com>

Tue, 30 Apr 2019 15:34:29 +0000 (15:34 +0000)
author Benoît Ganne <bganne@cisco.com>
Thu, 18 Apr 2019 15:42:24 +0000 (17:42 +0200)
committer Damjan Marion <dmarion@me.com>
Tue, 30 Apr 2019 15:34:29 +0000 (15:34 +0000)
diff --git a/src/vppinfra/unformat.c b/src/vppinfra/unformat.c

index da7622a..52b8bb7 100644 (file)
--- a/src/vppinfra/unformat.c
+++ b/src/vppinfra/unformat.c
@@ -338,8 +338,14 @@ unformat_token (unformat_input_t * input, va_list * va)
    clib_memset (map, 0, sizeof (map));
    for (s = token_chars; *s;)
      {
-      /* Parse range. */
-      if (s[0] < s[2] && s[1] == '-')
+      /*
+       * Parse range.
+       * The test order is important: s[1] is valid because s[0] != '\0' but
+       * s[2] might not if s[1] == '\0'
+       * Also, if s[1] == '-' but s[2] == '\0' the test s[0] < s[2] will
+       * (correctly) fail
+       */
+      if (s[1] == '-' && s[0] < s[2])
         {
           for (i = s[0]; i <= s[2]; i++)
             map[i] = 1;
author	Benoît Ganne <bganne@cisco.com>
	Thu, 18 Apr 2019 15:42:24 +0000 (17:42 +0200)
committer	Damjan Marion <dmarion@me.com>
	Tue, 30 Apr 2019 15:34:29 +0000 (15:34 +0000)