bgpd: Fix off by one error introduced by 8c9cc7bbf657e3440d9bc758fe45aef5f43c989f

Commit 8c9cc7bbf657e3440d9bc758fe45aef5f43c989f changed the size
of the `struct bgp_attr_encap_subtlv` type to be a zero length
array at the end instead of having a 1 byte.  All memory allocations
for this subsuquently were off by 1 byte since those were not
adjusted either.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index c178089af7496a2f0ca60e078b89b296072824f4..2d3158d8471de4d36ae2a4000e61a578a1483e2b 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -208,7 +208,7 @@ struct bgp_attr_encap_subtlv *encap_tlv_dup(struct bgp_attr_encap_subtlv *orig)
        struct bgp_attr_encap_subtlv *p;
 
        for (p = orig, tail = new = NULL; p; p = p->next) {
-               int size = sizeof(struct bgp_attr_encap_subtlv) - 1 + p->length;
+               int size = sizeof(struct bgp_attr_encap_subtlv) + p->length;
                if (tail) {
                        tail->next = XCALLOC(MTYPE_ENCAP_TLV, size);
                        tail = tail->next;
@@ -1916,7 +1916,7 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
                /* alloc and copy sub-tlv */
                /* TBD make sure these are freed when attributes are released */
                tlv = XCALLOC(MTYPE_ENCAP_TLV,
-                             sizeof(struct bgp_attr_encap_subtlv) - 1
+                             sizeof(struct bgp_attr_encap_subtlv)
                                      + sublength);
                tlv->type = subtype;
                tlv->length = sublength;

diff --git a/bgpd/bgp_encap_tlv.c b/bgpd/bgp_encap_tlv.c
index 4457501613a1b25dde212471c3293a35cebac5bb..30a08098e87d75a7b2fd366728ca45dd435b41d7 100644 (file)
--- a/bgpd/bgp_encap_tlv.c
+++ b/bgpd/bgp_encap_tlv.c
@@ -47,7 +47,7 @@ static struct bgp_attr_encap_subtlv *subtlv_encode_encap_l2tpv3_over_ip(
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
        new->length = total;
@@ -72,7 +72,7 @@ subtlv_encode_encap_gre(struct bgp_tea_subtlv_encap_gre_key *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
        new->length = total;
@@ -95,7 +95,7 @@ subtlv_encode_encap_pbb(struct bgp_tea_subtlv_encap_pbb *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
        new->length = total;
@@ -128,7 +128,7 @@ subtlv_encode_proto_type(struct bgp_tea_subtlv_proto_type *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_PROTO_TYPE;
        new->length = total;
@@ -150,7 +150,7 @@ subtlv_encode_color(struct bgp_tea_subtlv_color *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_COLOR;
        new->length = total;
@@ -182,7 +182,7 @@ subtlv_encode_ipsec_ta(struct bgp_tea_subtlv_ipsec_ta *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_IPSEC_TA;
        new->length = total;
@@ -206,7 +206,7 @@ subtlv_encode_remote_endpoint(struct bgp_tea_subtlv_remote_endpoint *st)
        assert(total <= 0xff);
 
        new = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+                     sizeof(struct bgp_attr_encap_subtlv) + total);
        assert(new);
        new->type = BGP_ENCAP_SUBTLV_TYPE_REMOTE_ENDPOINT;
        new->length = total;
@@ -404,7 +404,7 @@ void bgp_encap_type_vxlan_to_tlv(
        if (attr->encap_subtlvs)
                XFREE(MTYPE_ENCAP_TLV, attr->encap_subtlvs);
        tlv = XCALLOC(MTYPE_ENCAP_TLV,
-                     sizeof(struct bgp_attr_encap_subtlv) - 1 + 12);
+                     sizeof(struct bgp_attr_encap_subtlv) + 12);
        tlv->type = 1; /* encapsulation type */
        tlv->length = 12;
        if (bet->vnid) {

diff --git a/bgpd/rfapi/rfapi.c b/bgpd/rfapi/rfapi.c
index b093265ffb0473ac946311507ce82359a82c529b..15a29442f47079001448e04433848e745ac4432c 100644 (file)
--- a/bgpd/rfapi/rfapi.c
+++ b/bgpd/rfapi/rfapi.c
@@ -757,7 +757,7 @@ void add_vnc_route(struct rfapi_descriptor *rfd, /* cookie, VPN UN addr, peer */
 
                encaptlv =
                        XCALLOC(MTYPE_ENCAP_TLV,
-                               sizeof(struct bgp_attr_encap_subtlv) - 1 + 4);
+                               sizeof(struct bgp_attr_encap_subtlv) + 4);
                assert(encaptlv);
                encaptlv->type =
                        BGP_VNC_SUBTLV_TYPE_LIFETIME; /* prefix lifetime */
@@ -801,8 +801,8 @@ void add_vnc_route(struct rfapi_descriptor *rfd, /* cookie, VPN UN addr, peer */
                                 */
                                encaptlv = XCALLOC(
                                        MTYPE_ENCAP_TLV,
-                                       sizeof(struct bgp_attr_encap_subtlv) - 1
-                                               + 2 + hop->length);
+                                       sizeof(struct bgp_attr_encap_subtlv)
+                                       + 2 + hop->length);
                                assert(encaptlv);
                                encaptlv->type =
                                        BGP_VNC_SUBTLV_TYPE_RFPOPTION; /* RFP