Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 4d39f9c)
map: api: fix tag overflow and leak 70/24470/3
authorBenoît Ganne <bganne@cisco.com>
Tue, 21 Jan 2020 17:24:44 +0000 (18:24 +0100)
committerDamjan Marion <dmarion@me.com>
Mon, 27 Jan 2020 20:37:58 +0000 (20:37 +0000)
The 'tag' parameter is expected to be a NULL-terminated C-string in
callees:
 - make sure it is null-terminated in both API and CLI cases
 - do not allocate & copy the string into a non-NULL-terminated vector
   in API case
 - fix leak in CLI case

Type: fix

Change-Id: I221a489a226240548cdeb5e3663bbfb94eee4600
Signed-off-by: Benoît Ganne <bganne@cisco.com>
src/plugins/map/map.c patch | blob | history
src/plugins/map/map_api.c patch | blob | history

diff --git a/src/plugins/map/map.c b/src/plugins/map/map.c
index bc9b3df..92d2337 100644 (file)
--- a/src/plugins/map/map.c
+++ b/src/plugins/map/map.c
@@ -551,7 +551,7 @@ map_add_domain_command_fn (vlib_main_t * vm,
        num_m_args++;
       else if (unformat (line_input, "mtu %d", &mtu))
        num_m_args++;
-      else if (unformat (line_input, "tag %v", &tag))
+      else if (unformat (line_input, "tag %s", &tag))
        ;
       else
        {
@@ -573,6 +573,7 @@ map_add_domain_command_fn (vlib_main_t * vm,
                     mtu, flags, tag);
 
 done:
+  vec_free (tag);
   unformat_free (line_input);
 
   return error;
diff --git a/src/plugins/map/map_api.c b/src/plugins/map/map_api.c
index 418f6a0..7327732 100644 (file)
--- a/src/plugins/map/map_api.c
+++ b/src/plugins/map/map_api.c
@@ -40,7 +40,7 @@ vl_api_map_add_domain_t_handler (vl_api_map_add_domain_t * mp)
   u32 index;
   u8 flags = 0;
 
-  u8 *tag = format (0, "%s", mp->tag);
+  mp->tag[ARRAY_LEN (mp->tag) - 1] = '\0';
   rv =
     map_create_domain ((ip4_address_t *) & mp->ip4_prefix.address,
                       mp->ip4_prefix.len,
@@ -48,8 +48,9 @@ vl_api_map_add_domain_t_handler (vl_api_map_add_domain_t * mp)
                       mp->ip6_prefix.len,
                       (ip6_address_t *) & mp->ip6_src.address,
                       mp->ip6_src.len, mp->ea_bits_len, mp->psid_offset,
-                      mp->psid_length, &index, ntohs (mp->mtu), flags, tag);
-  vec_free (tag);
+                      mp->psid_length, &index, ntohs (mp->mtu), flags,
+                      mp->tag);
+
   /* *INDENT-OFF* */
   REPLY_MACRO2(VL_API_MAP_ADD_DOMAIN_REPLY,
   ({
Vector Packet Processing