[quagga-dev 10631] [PATCH 1/2] lib: fix possible off-by-one in stream_put_prefix()

Jorge Boncompte [DTI2] jorge at dti2.net
Wed Jul 31 17:01:17 BST 2013


From: "Jorge Boncompte [DTI2]" <jorge at dti2.net>

The problem is that the call to stream_putc() moves the buffer
position between checking the writeable space and copying the prefix.

Signed-off-by: Jorge Boncompte [DTI2] <jorge at dti2.net>
---
 lib/stream.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/lib/stream.c b/lib/stream.c
index ee2920e..0d5719a 100644
--- a/lib/stream.c
+++ b/lib/stream.c
@@ -690,26 +690,27 @@ stream_put_in_addr (struct stream *s, struct in_addr *addr)
   return sizeof (u_int32_t);
 }
 
-/* Put prefix by nlri type format. */
+/* Put prefix by NLRI type format. */
 int
 stream_put_prefix (struct stream *s, struct prefix *p)
 {
   size_t psize;
-  
+
   STREAM_VERIFY_SANE(s);
-  
+
   psize = PSIZE (p->prefixlen);
-  
-  if (STREAM_WRITEABLE (s) < psize)
+
+  if (STREAM_WRITEABLE (s) < (psize + sizeof (u_char)))
     {
-      STREAM_BOUND_WARN (s, "put");
+      STREAM_BOUND_WARN (s, "put prefix");
       return 0;
     }
-  
-  stream_putc (s, p->prefixlen);
+
+  s->data[s->endp++] = p->prefixlen;
+
   memcpy (s->data + s->endp, &p->u.prefix, psize);
   s->endp += psize;
-  
+
   return psize;
 }
 
-- 
1.7.10.4






More information about the Quagga-dev mailing list