lib: graph: fix vector_remove()

vector_remove would corrupt the data in the following sequence:
1. assume vector v = [a, b], active = 2
2. vector_unset(v, 0) => v = [NULL, b], active = 2
3. vector_remove(v, 1)

vector_remove calls vector_unset(v, 1), vector_unset notices index #0 is
also NULL and thus sets active to 0.

The equality test in vector_remove() now fails, leading it to decrement
v->active *again*, leading to an underflow that will likely crash the
daemon (and might even be exploitable).

This call sequence does not happen in existing code since vector_unset()
is not used on graph from/to lists.  Nonetheless this is a buried land
mine in the code at best.

Rewrite the function - while we're at it, there's no reason to move the
entire array around, just fill the hole with the last element.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Cc: Quentin Young <qlyoung@cumulusnetworks.com>

0 files changed, 0 insertions, 0 deletions