Memory overwritten when using unformat %u (VPP-987)

Change-Id: I7d8f807fb502d61688aa1dee25fa4edcbeb32f41
Signed-off-by: Aequitas <wang.junqi@zte.com.cn>

diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index 612085f..9441625 100644 (file)
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -3151,7 +3151,7 @@ snat_det_close_session_out_fn (vlib_main_t *vm,
   snat_main_t *sm = &snat_main;
   unformat_input_t _line_input, *line_input = &_line_input;
   ip4_address_t out_addr, ext_addr, in_addr;
-  u16 out_port, ext_port;
+  u32 out_port, ext_port;
   snat_det_map_t * dm;
   snat_det_session_t * ses;
   snat_det_out_key_t key;
@@ -3182,10 +3182,10 @@ snat_det_close_session_out_fn (vlib_main_t *vm,
     vlib_cli_output (vm, "no match");
   else
     {
-      snat_det_reverse(dm, &ext_addr, out_port, &in_addr);
+      snat_det_reverse(dm, &ext_addr, (u16)out_port, &in_addr);
       key.ext_host_addr = out_addr;
-      key.ext_host_port = ntohs(ext_port);
-      key.out_port = ntohs(out_port);
+      key.ext_host_port = ntohs((u16)ext_port);
+      key.out_port = ntohs((u16)out_port);
       ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64);
       if (!ses)
         vlib_cli_output (vm, "no match");
@@ -3222,7 +3222,7 @@ snat_det_close_session_in_fn (vlib_main_t *vm,
   snat_main_t *sm = &snat_main;
   unformat_input_t _line_input, *line_input = &_line_input;
   ip4_address_t in_addr, ext_addr;
-  u16 in_port, ext_port;
+  u32 in_port, ext_port;
   snat_det_map_t * dm;
   snat_det_session_t * ses;
   snat_det_out_key_t key;
@@ -3254,8 +3254,8 @@ snat_det_close_session_in_fn (vlib_main_t *vm,
   else
     {
       key.ext_host_addr = ext_addr;
-      key.ext_host_port = ntohs (ext_port);
-      ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs(in_port), key);
+      key.ext_host_port = ntohs ((u16)ext_port);
+      ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs((u16)in_port), key);
       if (!ses)
         vlib_cli_output (vm, "no match");
       else

diff --git a/src/plugins/nat/nat64_cli.c b/src/plugins/nat/nat64_cli.c
index 8890038..f3645bb 100644 (file)
--- a/src/plugins/nat/nat64_cli.c
+++ b/src/plugins/nat/nat64_cli.c
@@ -301,8 +301,8 @@ nat64_add_del_static_bib_command_fn (vlib_main_t *
   u8 is_add = 1;
   ip6_address_t in_addr;
   ip4_address_t out_addr;
-  u16 in_port = 0;
-  u16 out_port = 0;
+  u32 in_port = 0;
+  u32 out_port = 0;
   u32 vrf_id = 0, protocol;
   snat_protocol_t proto = 0;
   u8 p = 0;
@@ -362,8 +362,8 @@ nat64_add_del_static_bib_command_fn (vlib_main_t *
     }
 
   rv =
-    nat64_add_del_static_bib_entry (&in_addr, &out_addr, in_port, out_port, p,
-                                   vrf_id, is_add);
+    nat64_add_del_static_bib_entry (&in_addr, &out_addr, (u16) in_port,
+                                   (u16) out_port, p, vrf_id, is_add);
 
   switch (rv)
     {

diff --git a/src/plugins/nat/nat_test.c b/src/plugins/nat/nat_test.c
index b653b77..e0b0494 100644 (file)
--- a/src/plugins/nat/nat_test.c
+++ b/src/plugins/nat/nat_test.c
@@ -846,7 +846,7 @@ static int api_snat_det_reverse (vat_main_t * vam)
   unformat_input_t * i = vam->input;
   vl_api_snat_det_reverse_t * mp;
   ip4_address_t out_addr;
-  u16 out_port;
+  u32 out_port;
   int ret;
 
   if (unformat (i, "%U %d", unformat_ip4_address, &out_addr, &out_port))
@@ -859,7 +859,7 @@ static int api_snat_det_reverse (vat_main_t * vam)
 
   M(SNAT_DET_REVERSE, mp);
   clib_memcpy(mp->out_addr, &out_addr, 4);
-  mp->out_port = htons(out_port);
+  mp->out_port = htons((u16)out_port);
 
   S(mp);
   W(ret);
@@ -981,7 +981,7 @@ static int api_snat_det_close_session_out (vat_main_t * vam)
   unformat_input_t * i = vam->input;
   vl_api_snat_det_close_session_out_t * mp;
   ip4_address_t out_addr, ext_addr;
-  u16 out_port, ext_port;
+  u32 out_port, ext_port;
   int ret;
 
   if (unformat (i, "%U:%d %U:%d",
@@ -996,9 +996,9 @@ static int api_snat_det_close_session_out (vat_main_t * vam)
 
   M(SNAT_DET_CLOSE_SESSION_OUT, mp);
   clib_memcpy(mp->out_addr, &out_addr, 4);
-  mp->out_port = ntohs(out_port);
+  mp->out_port = ntohs((u16)out_port);
   clib_memcpy(mp->ext_addr, &ext_addr, 4);
-  mp->ext_port = ntohs(ext_port);
+  mp->ext_port = ntohs((u16)ext_port);
 
   S(mp);
   W (ret);
@@ -1010,7 +1010,7 @@ static int api_snat_det_close_session_in (vat_main_t * vam)
   unformat_input_t * i = vam->input;
   vl_api_snat_det_close_session_in_t * mp;
   ip4_address_t in_addr, ext_addr;
-  u16 in_port, ext_port;
+  u32 in_port, ext_port;
   int ret;
 
   if (unformat (i, "%U:%d %U:%d",
@@ -1025,9 +1025,9 @@ static int api_snat_det_close_session_in (vat_main_t * vam)
 
   M(SNAT_DET_CLOSE_SESSION_IN, mp);
   clib_memcpy(mp->in_addr, &in_addr, 4);
-  mp->in_port = ntohs(in_port);
+  mp->in_port = ntohs((u16)in_port);
   clib_memcpy(mp->ext_addr, &ext_addr, 4);
-  mp->ext_port = ntohs(ext_port);
+  mp->ext_port = ntohs((u16)ext_port);
 
   S(mp);
   W (ret);