From 3b37125bdb0251181f90a429a4532b339711cf89 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Ganne?= Date: Tue, 21 Jan 2020 18:24:44 +0100 Subject: [PATCH] map: api: fix tag overflow and leak MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The 'tag' parameter is expected to be a NULL-terminated C-string in callees: - make sure it is null-terminated in both API and CLI cases - do not allocate & copy the string into a non-NULL-terminated vector in API case - fix leak in CLI case Type: fix Change-Id: I221a489a226240548cdeb5e3663bbfb94eee4600 Signed-off-by: Benoît Ganne --- src/plugins/map/map.c | 3 ++- src/plugins/map/map_api.c | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/plugins/map/map.c b/src/plugins/map/map.c index bc9b3df50ba..92d2337d0ba 100644 --- a/src/plugins/map/map.c +++ b/src/plugins/map/map.c @@ -551,7 +551,7 @@ map_add_domain_command_fn (vlib_main_t * vm, num_m_args++; else if (unformat (line_input, "mtu %d", &mtu)) num_m_args++; - else if (unformat (line_input, "tag %v", &tag)) + else if (unformat (line_input, "tag %s", &tag)) ; else { @@ -573,6 +573,7 @@ map_add_domain_command_fn (vlib_main_t * vm, mtu, flags, tag); done: + vec_free (tag); unformat_free (line_input); return error; diff --git a/src/plugins/map/map_api.c b/src/plugins/map/map_api.c index 418f6a02a36..7327732c6a7 100644 --- a/src/plugins/map/map_api.c +++ b/src/plugins/map/map_api.c @@ -40,7 +40,7 @@ vl_api_map_add_domain_t_handler (vl_api_map_add_domain_t * mp) u32 index; u8 flags = 0; - u8 *tag = format (0, "%s", mp->tag); + mp->tag[ARRAY_LEN (mp->tag) - 1] = '\0'; rv = map_create_domain ((ip4_address_t *) & mp->ip4_prefix.address, mp->ip4_prefix.len, @@ -48,8 +48,9 @@ vl_api_map_add_domain_t_handler (vl_api_map_add_domain_t * mp) mp->ip6_prefix.len, (ip6_address_t *) & mp->ip6_src.address, mp->ip6_src.len, mp->ea_bits_len, mp->psid_offset, - mp->psid_length, &index, ntohs (mp->mtu), flags, tag); - vec_free (tag); + mp->psid_length, &index, ntohs (mp->mtu), flags, + mp->tag); + /* *INDENT-OFF* */ REPLY_MACRO2(VL_API_MAP_ADD_DOMAIN_REPLY, ({ -- 2.16.6