From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Wed, 18 Oct 2017 22:37:38 +0000 (-0400)
Subject: bgpd: Fix off by one error introduced by 8c9cc7bbf657e3440d9bc758fe45aef5f43c989f
X-Git-Tag: frr-4.0-dev~204^2~1
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=12f7047895612c5368c476806a5127500b43243e;p=matthieu%2Ffrr.git

bgpd: Fix off by one error introduced by 8c9cc7bbf657e3440d9bc758fe45aef5f43c989f

Commit 8c9cc7bbf657e3440d9bc758fe45aef5f43c989f changed the size
of the `struct bgp_attr_encap_subtlv` type to be a zero length
array at the end instead of having a 1 byte.  All memory allocations
for this subsuquently were off by 1 byte since those were not
adjusted either.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index c178089af7..2d3158d847 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -208,7 +208,7 @@ struct bgp_attr_encap_subtlv *encap_tlv_dup(struct bgp_attr_encap_subtlv *orig)
 	struct bgp_attr_encap_subtlv *p;
 
 	for (p = orig, tail = new = NULL; p; p = p->next) {
-		int size = sizeof(struct bgp_attr_encap_subtlv) - 1 + p->length;
+		int size = sizeof(struct bgp_attr_encap_subtlv) + p->length;
 		if (tail) {
 			tail->next = XCALLOC(MTYPE_ENCAP_TLV, size);
 			tail = tail->next;
@@ -1916,7 +1916,7 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 		/* alloc and copy sub-tlv */
 		/* TBD make sure these are freed when attributes are released */
 		tlv = XCALLOC(MTYPE_ENCAP_TLV,
-			      sizeof(struct bgp_attr_encap_subtlv) - 1
+			      sizeof(struct bgp_attr_encap_subtlv)
 				      + sublength);
 		tlv->type = subtype;
 		tlv->length = sublength;
diff --git a/bgpd/bgp_encap_tlv.c b/bgpd/bgp_encap_tlv.c
index 4457501613..30a08098e8 100644
--- a/bgpd/bgp_encap_tlv.c
+++ b/bgpd/bgp_encap_tlv.c
@@ -47,7 +47,7 @@ static struct bgp_attr_encap_subtlv *subtlv_encode_encap_l2tpv3_over_ip(
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
 	new->length = total;
@@ -72,7 +72,7 @@ subtlv_encode_encap_gre(struct bgp_tea_subtlv_encap_gre_key *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
 	new->length = total;
@@ -95,7 +95,7 @@ subtlv_encode_encap_pbb(struct bgp_tea_subtlv_encap_pbb *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_ENCAPSULATION;
 	new->length = total;
@@ -128,7 +128,7 @@ subtlv_encode_proto_type(struct bgp_tea_subtlv_proto_type *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_PROTO_TYPE;
 	new->length = total;
@@ -150,7 +150,7 @@ subtlv_encode_color(struct bgp_tea_subtlv_color *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_COLOR;
 	new->length = total;
@@ -182,7 +182,7 @@ subtlv_encode_ipsec_ta(struct bgp_tea_subtlv_ipsec_ta *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_IPSEC_TA;
 	new->length = total;
@@ -206,7 +206,7 @@ subtlv_encode_remote_endpoint(struct bgp_tea_subtlv_remote_endpoint *st)
 	assert(total <= 0xff);
 
 	new = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + total);
+		      sizeof(struct bgp_attr_encap_subtlv) + total);
 	assert(new);
 	new->type = BGP_ENCAP_SUBTLV_TYPE_REMOTE_ENDPOINT;
 	new->length = total;
@@ -404,7 +404,7 @@ void bgp_encap_type_vxlan_to_tlv(
 	if (attr->encap_subtlvs)
 		XFREE(MTYPE_ENCAP_TLV, attr->encap_subtlvs);
 	tlv = XCALLOC(MTYPE_ENCAP_TLV,
-		      sizeof(struct bgp_attr_encap_subtlv) - 1 + 12);
+		      sizeof(struct bgp_attr_encap_subtlv) + 12);
 	tlv->type = 1; /* encapsulation type */
 	tlv->length = 12;
 	if (bet->vnid) {
diff --git a/bgpd/rfapi/rfapi.c b/bgpd/rfapi/rfapi.c
index b093265ffb..15a29442f4 100644
--- a/bgpd/rfapi/rfapi.c
+++ b/bgpd/rfapi/rfapi.c
@@ -757,7 +757,7 @@ void add_vnc_route(struct rfapi_descriptor *rfd, /* cookie, VPN UN addr, peer */
 
 		encaptlv =
 			XCALLOC(MTYPE_ENCAP_TLV,
-				sizeof(struct bgp_attr_encap_subtlv) - 1 + 4);
+				sizeof(struct bgp_attr_encap_subtlv) + 4);
 		assert(encaptlv);
 		encaptlv->type =
 			BGP_VNC_SUBTLV_TYPE_LIFETIME; /* prefix lifetime */
@@ -801,8 +801,8 @@ void add_vnc_route(struct rfapi_descriptor *rfd, /* cookie, VPN UN addr, peer */
 				 */
 				encaptlv = XCALLOC(
 					MTYPE_ENCAP_TLV,
-					sizeof(struct bgp_attr_encap_subtlv) - 1
-						+ 2 + hop->length);
+					sizeof(struct bgp_attr_encap_subtlv)
+					+ 2 + hop->length);
 				assert(encaptlv);
 				encaptlv->type =
 					BGP_VNC_SUBTLV_TYPE_RFPOPTION; /* RFP