From edf344ebff93f9ae470ec2a373b5fa65c1442670 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Fri, 3 Nov 2017 14:09:24 -0400 Subject: [PATCH] bgpd: Fix crash with ecommunity string When we are displaying a extended community ECOMMUNITY_SITE_ORIGIN the display sprintf is this: len = sprintf( str_buf + str_pnt, "EVPN:%02x:%02x:%02x:%02x:%02x:%02x", macaddr[0], macaddr[1], macaddr[2], macaddr[3], macaddr[4], macaddr[5]); The problem with this is that macaddr[0] is passed in as a integer so the sprintf function thinks that the value to display is much larger than it actually is. The ECOMMUNITY_STR_DEFAULT_LEN is 27 So the resulting string no-longer fits in memory and we write off the end of the buffer and can crash. If we force the passed in value to be a uint8_t then we get the expected output since a single byte is displayed as 2 hex characters and the resulting string fits in str_buf. Signed-off-by: Donald Sharp --- bgpd/bgp_ecommunity.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index bdcc12705c..e19f516505 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -702,8 +702,12 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter) len = sprintf( str_buf + str_pnt, "EVPN:%02x:%02x:%02x:%02x:%02x:%02x", - macaddr[0], macaddr[1], macaddr[2], - macaddr[3], macaddr[4], macaddr[5]); + (uint8_t)macaddr[0], + (uint8_t)macaddr[1], + (uint8_t)macaddr[2], + (uint8_t)macaddr[3], + (uint8_t)macaddr[4], + (uint8_t)macaddr[5]); } else if (*pnt == ECOMMUNITY_EVPN_SUBTYPE_MACMOBILITY) { u_int32_t seqnum; -- 2.39.5