[quagga-dev 16763] Re: possible problem with prefix_bit

Matthias Ferdinand mf at 14v.de
Mon Jul 13 13:29:50 BST 2020


On Mon, Jul 13, 2020 at 12:00:02PM +0100, quagga-dev-request at lists.quagga.net wrote:
> Message: 1
> Date: Sun, 12 Jul 2020 21:22:15 +0000 (UTC)
> From: Kostas Sotiropoulos <kosotiro at yahoo.gr>
> To: "quagga-dev at lists.quagga.net" <quagga-dev at lists.quagga.net>
> Subject: [quagga-dev 16762] possible problem with prefix_bit
> Message-ID: <1148511041.807225.1594588935714 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi all, 
> 
> I do not know if this list is still valid but anyway I will express my anxiety for a code snippet:
> Inside lib/table.c there is function set_link:
> static void
> set_link (struct route_node *node, struct route_node *new)
> {
> ? unsigned int bit = prefix_bit (&new->p.u.prefix, node->p.prefixlen);
> 
> ? node->link[bit] = new;
> ? new->parent = node;
> }
> that calls function prefix_bit:
> unsigned int
> prefix_bit (const u_char *prefix, const u_char prefixlen)
> {
> ? unsigned int offset = prefixlen / 8;
> ? unsigned int shift? = 7 - (prefixlen % 8);
> ? 
> ? return (prefix[offset] >> shift) & 1;
> }
> 
> I suppose that prefixlen could also be equal to 32 for an IPV4 address that could result to a buffer overrun insideprefix_bit. Am I right?
> Best regards,Kostas Sotiropoulos


[ Disclaimer: I'm not a developer ]

Hi,

note that struct prefix is at least 8 bytes long, and AFAICT is usually
embedded within a larger struct (e.g. struct route_node) with more
components following after struct prefix.

With 8 bytes size, prefixlen==32 for an IPv4 address will not read from
outside struct prefix (offset==4).

With prefixlen==128 for an IPv6 address it might read 1 byte after struct
prefix (offset==8), but still from valid memory.

Matthias Ferdinand


More information about the Quagga-dev mailing list