From: Renato Westphal <renato@opensourcerouting.org>
Date: Wed, 20 Feb 2019 18:32:55 +0000 (-0300)
Subject: pbrd: fix removal of ipv6 nexthops
X-Git-Tag: frr-7.0~4^2~4
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=7e6d3db84ed752c68d79e4da59b9365f74d57b0a;p=matthieu%2Ffrr.git

pbrd: fix removal of ipv6 nexthops

Fix bug in the code that compares IPv6 addresses. If memcmp()
returns 0 then the two addresses are equal.

Because of this problem, hash_release() could return NULL in a few
places, leading to the following crashes (found by the CLI fuzzer):
pbrd aborted: vtysh -c "configure terminal" -c "pbr-map WORD seq 100" -c "no set nexthop 2001:db8::1"
pbrd aborted: vtysh -c "configure terminal" -c "nexthop-group NHGROUP" -c "no nexthop 2001:db8::1"

Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
---

diff --git a/pbrd/pbr_nht.c b/pbrd/pbr_nht.c
index 6103bd7db5..f3bfad3190 100644
--- a/pbrd/pbr_nht.c
+++ b/pbrd/pbr_nht.c
@@ -164,8 +164,8 @@ static bool pbr_nh_hash_equal(const void *arg1, const void *arg2)
 		       == pbrnc2->nexthop->gate.ipv4.s_addr;
 	case NEXTHOP_TYPE_IPV6_IFINDEX:
 	case NEXTHOP_TYPE_IPV6:
-		return !!memcmp(&pbrnc1->nexthop->gate.ipv6,
-				&pbrnc2->nexthop->gate.ipv6, 16);
+		return !memcmp(&pbrnc1->nexthop->gate.ipv6,
+			       &pbrnc2->nexthop->gate.ipv6, 16);
 	case NEXTHOP_TYPE_BLACKHOLE:
 		return pbrnc1->nexthop->bh_type == pbrnc2->nexthop->bh_type;
 	}