From 8da920d3c06c8c05f4cc72f2514cb85e21c4ba60 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Thu, 24 Sep 2020 08:07:12 -0400 Subject: [PATCH] bgpd: Ensure we do integer size promotions When doing multiplication of (int) * (uint_8t) we can have overflow and end up in a weird state. Intentionally upgrade the type then do the math. Signed-off-by: Donald Sharp --- bgpd/bgp_ecommunity.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 79fb7e55e9..3a0400a4b3 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -265,7 +265,8 @@ struct ecommunity *ecommunity_dup(struct ecommunity *ecom) if (new->size) { new->val = XMALLOC(MTYPE_ECOMMUNITY_VAL, ecom->size * ecom->unit_size); - memcpy(new->val, ecom->val, ecom->size * ecom->unit_size); + memcpy(new->val, ecom->val, + (size_t)ecom->size * (size_t)ecom->unit_size); } else new->val = NULL; return new; @@ -285,18 +286,16 @@ struct ecommunity *ecommunity_merge(struct ecommunity *ecom1, struct ecommunity *ecom2) { if (ecom1->val) - ecom1->val = - XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom1->val, - (ecom1->size + ecom2->size) * - ecom1->unit_size); + ecom1->val = XREALLOC(MTYPE_ECOMMUNITY_VAL, ecom1->val, + (size_t)(ecom1->size + ecom2->size) + * (size_t)ecom1->unit_size); else - ecom1->val = - XMALLOC(MTYPE_ECOMMUNITY_VAL, - (ecom1->size + ecom2->size) * - ecom1->unit_size); + ecom1->val = XMALLOC(MTYPE_ECOMMUNITY_VAL, + (size_t)(ecom1->size + ecom2->size) + * (size_t)ecom1->unit_size); memcpy(ecom1->val + (ecom1->size * ecom1->unit_size), ecom2->val, - ecom2->size * ecom1->unit_size); + (size_t)ecom2->size * (size_t)ecom1->unit_size); ecom1->size += ecom2->size; return ecom1; -- 2.39.5