mpls: fix header offset overflow

rw_len (MPLS rewrite string length) is declared as unsigned but is used
as -rw_len with vlib_buffer_advance(), resulting in a wrong, huge
offset.

Type: fix
Fixes: 734d430f37251bc7e71d507983ee640ae1625fbe
Ticket: VPP-1705
Change-Id: I7357249f7e50b7d30fd61f5be4858a26e43df85d
Signed-off-by: Benoît Ganne <bganne@cisco.com>

diff --git a/src/vnet/mpls/mpls_output.c b/src/vnet/mpls/mpls_output.c
index 14018c1..68577e7 100644 (file)
--- a/src/vnet/mpls/mpls_output.c
+++ b/src/vnet/mpls/mpls_output.c
@@ -78,12 +78,14 @@ mpls_output_inline (vlib_main_t * vm,
           ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
           vlib_buffer_t * p0;
-          u32 pi0, rw_len0, adj_index0, next0, error0;
+          u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
           ip_adjacency_t * adj1;
           mpls_unicast_header_t *hdr1;
           vlib_buffer_t * p1;
-          u32 pi1, rw_len1, adj_index1, next1, error1;
+          u32 pi1, adj_index1, next1, error1;
+          word rw_len1;
 
           /* Prefetch next iteration. */
           {
@@ -221,7 +223,8 @@ mpls_output_inline (vlib_main_t * vm,
          ip_adjacency_t * adj0;
           mpls_unicast_header_t *hdr0;
          vlib_buffer_t * p0;
-         u32 pi0, rw_len0, adj_index0, next0, error0;
+         u32 pi0, adj_index0, next0, error0;
+          word rw_len0;
 
          pi0 = to_next[0] = from[0];