proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-13 16:26:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pbrd: Fix nearly impossible truncation

Browse Source 
Since we are writing into the name field which is PBR_MAP_NAMELEN
size, we are expecting this to field to be at max 100 bytes.
Newer compilers understand that the %s portion may be up to
100 bytes( because of the size of the string.  The %u portion
is expected to be 10 bytes.  So in `theory` there are situations
where we might truncate.  The reality this is never going to
happen( who is going to create a nexthop group name that is
over say 30 characters? ).  As such we are expecting the
calling function to subtract 10 from the size_t l before
we pass it in to get around this new gcc fun.

Fixes: #2163
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
This commit is contained in:
Donald Sharp 2018-05-02 20:12:31 -04:00
parent d71b0564c2
commit 29d5a14634
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pbrd/pbr_nht.c
View File

@ -470,6 +470,18 @@ void pbr_nht_change_group(const char *name)
pbr_nht_install_nexthop_group(pnhgc, nhgc->nhg);
}
/*
* Since we are writing into the name field which is PBR_MAP_NAMELEN
* size, we are expecting this to field to be at max 100 bytes.
* Newer compilers understand that the %s portion may be up to
* 100 bytes( because of the size of the string. The %u portion
* is expected to be 10 bytes. So in `theory` there are situations
* where we might truncate. The reality this is never going to
* happen( who is going to create a nexthop group name that is
* over say 30 characters? ). As such we are expecting the
* calling function to subtract 10 from the size_t l before
* we pass it in to get around this new gcc fun.
*/
char *pbr_nht_nexthop_make_name(char *name, size_t l,
uint32_t seqno, char *buffer)
{
@ -485,7 +497,7 @@ void pbr_nht_add_individual_nexthop(struct pbr_map_sequence *pbrms)
struct pbr_nexthop_cache lookup;
memset(&find, 0, sizeof(find));
pbr_nht_nexthop_make_name(pbrms->parent->name, PBR_MAP_NAMELEN,
pbr_nht_nexthop_make_name(pbrms->parent->name, PBR_MAP_NAMELEN - 10,
pbrms->seqno, find.name);
if (!pbrms->internal_nhg_name)
pbrms->internal_nhg_name = XSTRDUP(MTYPE_TMP, find.name);

4
pbrd/pbr_vty.c
View File

@ -269,7 +269,7 @@ DEFPY(pbr_map_nexthop, pbr_map_nexthop_cmd,
if (pbrms->nhg)
nh = nexthop_exists(pbrms->nhg, &nhop);
else {
char buf[100];
char buf[PBR_MAP_NAMELEN];
if (no) {
vty_out(vty, "No nexthops to delete");
@ -280,7 +280,7 @@ DEFPY(pbr_map_nexthop, pbr_map_nexthop_cmd,
pbrms->internal_nhg_name =
XSTRDUP(MTYPE_TMP,
pbr_nht_nexthop_make_name(pbrms->parent->name,
PBR_MAP_NAMELEN,
PBR_MAP_NAMELEN - 10,
pbrms->seqno,
buf));
nh = NULL;