bgpd: Fix crash with ecommunity string

When we are displaying a extended community ECOMMUNITY_SITE_ORIGIN the display sprintf is this: len = sprintf( str_buf + str_pnt, "EVPN:%02x:%02x:%02x:%02x:%02x:%02x", macaddr[0], macaddr[1], macaddr[2], macaddr[3], macaddr[4], macaddr[5]); The problem with this is that macaddr[0] is passed in as a integer so the sprintf function thinks that the value to display is much larger than it actually is. The ECOMMUNITY_STR_DEFAULT_LEN is 27 So the resulting string no-longer fits in memory and we write off the end of the buffer and can crash. If we force the passed in value to be a uint8_t then we get the expected output since a single byte is displayed as 2 hex characters and the resulting string fits in str_buf. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
2025-08-14 02:53:55 +00:00 · 2017-11-03 14:09:24 -04:00 · 2017-11-03 14:09:24 -04:00 · edf344ebff
commit edf344ebff
parent 608646688b
1 changed files with 6 additions and 2 deletions
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@ -702,8 +702,12 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter)
 				len = sprintf(
 					str_buf + str_pnt,
 					"EVPN:%02x:%02x:%02x:%02x:%02x:%02x",
-					macaddr[0], macaddr[1], macaddr[2],
-					macaddr[3], macaddr[4], macaddr[5]);
+					(uint8_t)macaddr[0],
+					(uint8_t)macaddr[1],
+					(uint8_t)macaddr[2],
+					(uint8_t)macaddr[3],
+					(uint8_t)macaddr[4],
+					(uint8_t)macaddr[5]);
 			} else if (*pnt
 				   == ECOMMUNITY_EVPN_SUBTYPE_MACMOBILITY) {
 				u_int32_t seqnum;