lib: fix possible off-by-one in stream_put_prefix()

The STREAM_WRITEABLE() call only checks if there is space for the
prefix in the stream but does not account for the prefixlen. The
stream_putc() call reduces available space by 1 and we can end
copying one byte too much and with "endp" off by one if we are
near the buffer end.

Instead of moving the stream_putc() call before STREAM_WRITEABLE(),
we check before hand for the required space, and open-code it. This
avoids a function call and verifying again the stream buffer.

Signed-off-by: Jorge Boncompte [DTI2] <jorge@dti2.net>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>

diff --git a/lib/stream.c b/lib/stream.c
index ee2920e64796a8d655c3e7974c81b2e0d2466f6c..ccd4623ff16f4c542fc44278dcb51393024c048a 100644 (file)
--- a/lib/stream.c
+++ b/lib/stream.c
@@ -700,13 +700,13 @@ stream_put_prefix (struct stream *s, struct prefix *p)
   
   psize = PSIZE (p->prefixlen);
   
-  if (STREAM_WRITEABLE (s) < psize)
+  if (STREAM_WRITEABLE (s) < (psize + sizeof (u_char)))
     {
       STREAM_BOUND_WARN (s, "put");
       return 0;
     }
   
-  stream_putc (s, p->prefixlen);
+  s->data[s->endp++] = p->prefixlen;
   memcpy (s->data + s->endp, &p->u.prefix, psize);
   s->endp += psize;