Browse Source

ospf6d: don't access nexthops out of bounds

Given that the && is evaluated lazily from left to right,
i < OSPF6_MULTI_PATH_LIMIT should be checked prior to calling
ospf6_nexthop_is_set on the array element, not the other way around.

Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
Christian Franke 3 years ago
parent
commit
7fca43f718
3 changed files with 12 additions and 12 deletions
  1. 2 2
      ospf6d/ospf6_intra.c
  2. 4 4
      ospf6d/ospf6_route.c
  3. 6 6
      ospf6d/ospf6_spf.c

+ 2 - 2
ospf6d/ospf6_intra.c

@@ -1289,8 +1289,8 @@ ospf6_intra_prefix_lsa_add (struct ospf6_lsa *lsa)
         }
       else
         {
-          for (i = 0; ospf6_nexthop_is_set (&ls_entry->nexthop[i]) &&
-               i < OSPF6_MULTI_PATH_LIMIT; i++)
+          for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+               ospf6_nexthop_is_set (&ls_entry->nexthop[i]); i++)
             ospf6_nexthop_copy (&route->nexthop[i], &ls_entry->nexthop[i]);
         }
 

+ 4 - 4
ospf6d/ospf6_route.c

@@ -821,8 +821,8 @@ ospf6_route_show (struct vty *vty, struct ospf6_route *route)
            OSPF6_PATH_TYPE_SUBSTR (route->path.type),
            destination, nexthop, IFNAMSIZ, ifname, duration, VNL);
 
-  for (i = 1; ospf6_nexthop_is_set (&route->nexthop[i]) &&
-       i < OSPF6_MULTI_PATH_LIMIT; i++)
+  for (i = 1; i < OSPF6_MULTI_PATH_LIMIT &&
+       ospf6_nexthop_is_set (&route->nexthop[i]); i++)
     {
       /* nexthop */
       inet_ntop (AF_INET6, &route->nexthop[i].address, nexthop,
@@ -918,8 +918,8 @@ ospf6_route_show_detail (struct vty *vty, struct ospf6_route *route)
 
   /* Nexthops */
   vty_out (vty, "Nexthop:%s", VNL);
-  for (i = 0; ospf6_nexthop_is_set (&route->nexthop[i]) &&
-       i < OSPF6_MULTI_PATH_LIMIT; i++)
+  for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+       ospf6_nexthop_is_set (&route->nexthop[i]); i++)
     {
       /* nexthop */
       inet_ntop (AF_INET6, &route->nexthop[i].address, nexthop,

+ 6 - 6
ospf6d/ospf6_spf.c

@@ -307,8 +307,8 @@ ospf6_spf_install (struct ospf6_vertex *v,
       if (IS_OSPF6_DEBUG_SPF (PROCESS))
         zlog_debug ("  another path found, merge");
 
-      for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
-           i < OSPF6_MULTI_PATH_LIMIT; i++)
+      for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+           ospf6_nexthop_is_set (&v->nexthop[i]); i++)
         {
           for (j = 0; j < OSPF6_MULTI_PATH_LIMIT; j++)
             {
@@ -356,8 +356,8 @@ ospf6_spf_install (struct ospf6_vertex *v,
   route->path.options[1] = v->options[1];
   route->path.options[2] = v->options[2];
 
-  for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
-       i < OSPF6_MULTI_PATH_LIMIT; i++)
+  for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+       ospf6_nexthop_is_set (&v->nexthop[i]); i++)
     ospf6_nexthop_copy (&route->nexthop[i], &v->nexthop[i]);
 
   if (v->parent)
@@ -500,8 +500,8 @@ ospf6_spf_calculation (u_int32_t router_id,
             ospf6_nexthop_calc (w, v, lsdesc);
           else
             {
-              for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
-                   i < OSPF6_MULTI_PATH_LIMIT; i++)
+              for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+                   ospf6_nexthop_is_set (&v->nexthop[i]); i++)
                 ospf6_nexthop_copy (&w->nexthop[i], &v->nexthop[i]);
             }