I suppose the prerequisite for calling set_link() is that new node's prefix should be longer than its parent's one (but still valid) - it's a rather obvious way of building a prefix tree. So, prefix_bit() will always read valid data.
________________________________
Od: quagga-dev-bounces@lists.quagga.net <quagga-dev-bounces@lists.quagga.net> w imieniu u?ytkownika Matthias Ferdinand <mf@14v.de>
Wys?ane: poniedzia?ek, 13 lipca 2020 14:29
Do: quagga-dev@lists.quagga.net <quagga-dev@lists.quagga.net>
Temat: [quagga-dev 16763] Re: possible problem with prefix_bit
On Mon, Jul 13, 2020 at 12:00:02PM +0100, quagga-dev-request@lists.quagga.net wrote:
> Message: 1
> Date: Sun, 12 Jul 2020 21:22:15 +0000 (UTC)
> From: Kostas Sotiropoulos <kosotiro@yahoo.gr>
> To: "quagga-dev@lists.quagga.net" <quagga-dev@lists.quagga.net>
> Subject: [quagga-dev 16762] possible problem with prefix_bit
> Message-ID: <1148511041.807225.1594588935714@mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> I do not know if this list is still valid but anyway I will express my anxiety for a code snippet:
> Inside lib/table.c there is function set_link:
> static void
> set_link (struct route_node *node, struct route_node *new)
> {
> ? unsigned int bit = prefix_bit (&new->p.u.prefix, node->p.prefixlen);
>
> ? node->link[bit] = new;
> ? new->parent = node;
> }
> that calls function prefix_bit:
> unsigned int
> prefix_bit (const u_char *prefix, const u_char prefixlen)
> {
> ? unsigned int offset = prefixlen / 8;
> ? unsigned int shift? = 7 - (prefixlen % 8);
> ?
> ? return (prefix[offset] >> shift) & 1;
> }
>
> I suppose that prefixlen could also be equal to 32 for an IPV4 address that could result to a buffer overrun insideprefix_bit. Am I right?
> Best regards,Kostas Sotiropoulos
[ Disclaimer: I'm not a developer ]
Hi,
note that struct prefix is at least 8 bytes long, and AFAICT is usually
embedded within a larger struct (e.g. struct route_node) with more
components following after struct prefix.
With 8 bytes size, prefixlen==32 for an IPv4 address will not read from
outside struct prefix (offset==4).
With prefixlen==128 for an IPv6 address it might read 1 byte after struct
prefix (offset==8), but still from valid memory.
Matthias Ferdinand
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
________________________________
Od: quagga-dev-bounces@lists.quagga.net <quagga-dev-bounces@lists.quagga.net> w imieniu u?ytkownika Matthias Ferdinand <mf@14v.de>
Wys?ane: poniedzia?ek, 13 lipca 2020 14:29
Do: quagga-dev@lists.quagga.net <quagga-dev@lists.quagga.net>
Temat: [quagga-dev 16763] Re: possible problem with prefix_bit
On Mon, Jul 13, 2020 at 12:00:02PM +0100, quagga-dev-request@lists.quagga.net wrote:
> Message: 1
> Date: Sun, 12 Jul 2020 21:22:15 +0000 (UTC)
> From: Kostas Sotiropoulos <kosotiro@yahoo.gr>
> To: "quagga-dev@lists.quagga.net" <quagga-dev@lists.quagga.net>
> Subject: [quagga-dev 16762] possible problem with prefix_bit
> Message-ID: <1148511041.807225.1594588935714@mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> I do not know if this list is still valid but anyway I will express my anxiety for a code snippet:
> Inside lib/table.c there is function set_link:
> static void
> set_link (struct route_node *node, struct route_node *new)
> {
> ? unsigned int bit = prefix_bit (&new->p.u.prefix, node->p.prefixlen);
>
> ? node->link[bit] = new;
> ? new->parent = node;
> }
> that calls function prefix_bit:
> unsigned int
> prefix_bit (const u_char *prefix, const u_char prefixlen)
> {
> ? unsigned int offset = prefixlen / 8;
> ? unsigned int shift? = 7 - (prefixlen % 8);
> ?
> ? return (prefix[offset] >> shift) & 1;
> }
>
> I suppose that prefixlen could also be equal to 32 for an IPV4 address that could result to a buffer overrun insideprefix_bit. Am I right?
> Best regards,Kostas Sotiropoulos
[ Disclaimer: I'm not a developer ]
Hi,
note that struct prefix is at least 8 bytes long, and AFAICT is usually
embedded within a larger struct (e.g. struct route_node) with more
components following after struct prefix.
With 8 bytes size, prefixlen==32 for an IPv4 address will not read from
outside struct prefix (offset==4).
With prefixlen==128 for an IPv6 address it might read 1 byte after struct
prefix (offset==8), but still from valid memory.
Matthias Ferdinand
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev