git.puffer.fish Git - matthieu/frr.git/commit

author	Donald Sharp <sharpd@cumulusnetworks.com>
	Fri, 3 Nov 2017 18:09:24 +0000 (14:09 -0400)
committer	Donald Sharp <sharpd@cumulusnetworks.com>
	Mon, 6 Nov 2017 15:34:51 +0000 (10:34 -0500)
commit	edf344ebff93f9ae470ec2a373b5fa65c1442670
tree	e54364b7f4b77d13392ef1ea411df41580a3ee44	tree \| snapshot
parent	608646688be673edfa55d089ea11997d6a3e7794	commit \| diff

bgpd: Fix crash with ecommunity string

When we are displaying a extended community ECOMMUNITY_SITE_ORIGIN
the display sprintf is this:

len = sprintf(
str_buf + str_pnt,
"EVPN:%02x:%02x:%02x:%02x:%02x:%02x",
macaddr[0], macaddr[1], macaddr[2],
macaddr[3], macaddr[4], macaddr[5]);

The problem with this is that macaddr[0] is passed in as a integer
so the sprintf function thinks that the value to display is much
larger than it actually is. The ECOMMUNITY_STR_DEFAULT_LEN is 27
So the resulting string no-longer fits in memory and we write
off the end of the buffer and can crash. If we force the
passed in value to be a uint8_t then we get the expected output
since a single byte is displayed as 2 hex characters and the
resulting string fits in str_buf.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>