quagga: Remove double read of stream The addition of a MIN(X,Y) with a stream_getc in the Y causes a double read of the stream due to the way that MIN is defined. This fix removes a crash in all protocols. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

commit: 5e57b5fc621300427d3818f0723b8cd8d5e5ca6a [log] [tgz]
author: Donald Sharp <sharpd@cumulusnetworks.com> Fri Mar 11 16:28:34 2016 -0500
committer: Donald Sharp <sharpd@cumulusnetworks.com> Fri Mar 11 18:29:14 2016 -0500
tree: 738345e0c3121f329266e8b8faaa88661e7cdb2e
parent: e3f623be8b6556db9d70c2fc5d3c2b152f36dc1d [diff]
diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c
index bee1a94..d0b9216 100644
--- a/bgpd/bgp_zebra.c
+++ b/bgpd/bgp_zebra.c

@@ -238,6 +238,7 @@
   struct zapi_ipv4 api;
   struct in_addr nexthop;
   struct prefix_ipv4 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   nexthop.s_addr = 0;
@@ -250,7 +251,8 @@
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
@@ -314,6 +316,7 @@
   struct zapi_ipv6 api;
   struct in6_addr nexthop;
   struct prefix_ipv6 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   memset (&nexthop, 0, sizeof (struct in6_addr));
@@ -326,7 +329,8 @@
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */

diff --git a/isisd/isis_zebra.c b/isisd/isis_zebra.c
index a1a5bea..4acaf8e 100644
--- a/isisd/isis_zebra.c
+++ b/isisd/isis_zebra.c

@@ -529,6 +529,7 @@
   struct prefix *p_generic = (struct prefix*)&p;
   unsigned long ifindex __attribute__ ((unused));
   struct in_addr nexthop __attribute__ ((unused));
+  unsigned char plength = 0;
 
   stream = zclient->ibuf;
   memset(&api, 0, sizeof(api));
@@ -541,7 +542,8 @@
   api.message = stream_getc (stream);
 
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (stream));
+  plength = stream_getc (stream);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, stream, PSIZE (p.prefixlen));
 
   if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))

diff --git a/ospf6d/ospf6_zebra.c b/ospf6d/ospf6_zebra.c
index 0caf001..c8f20d8 100644
--- a/ospf6d/ospf6_zebra.c
+++ b/ospf6d/ospf6_zebra.c

@@ -213,6 +213,7 @@
   unsigned long ifindex;
   struct prefix_ipv6 p;
   struct in6_addr *nexthop;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   ifindex = 0;
@@ -227,7 +228,8 @@
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */

diff --git a/ospfd/ospf_zebra.c b/ospfd/ospf_zebra.c
index 4531f13..8940455 100644
--- a/ospfd/ospf_zebra.c
+++ b/ospfd/ospf_zebra.c

@@ -832,6 +832,7 @@
   struct prefix_ipv4 p;
   struct external_info *ei;
   struct ospf *ospf;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   ifindex = 0;
@@ -845,7 +846,8 @@
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   if (IPV4_NET127(ntohl(p.prefix.s_addr)))

diff --git a/ripd/rip_zebra.c b/ripd/rip_zebra.c
index 1411cd7..2670ff7 100644
--- a/ripd/rip_zebra.c
+++ b/ripd/rip_zebra.c

@@ -135,7 +135,8 @@
   unsigned long ifindex;
   struct in_addr nexthop;
   struct prefix_ipv4 p;
-  
+  unsigned char plength = 0;
+
   s = zclient->ibuf;
   ifindex = 0;
   nexthop.s_addr = 0;
@@ -148,7 +149,8 @@
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */

diff --git a/ripngd/ripng_zebra.c b/ripngd/ripng_zebra.c
index e02b098..7221616 100644
--- a/ripngd/ripng_zebra.c
+++ b/ripngd/ripng_zebra.c

@@ -134,6 +134,7 @@
   unsigned long ifindex;
   struct in6_addr nexthop;
   struct prefix_ipv6 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   ifindex = 0;
@@ -147,7 +148,8 @@
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
commit	5e57b5fc621300427d3818f0723b8cd8d5e5ca6a	[log] [tgz]
author	Donald Sharp <sharpd@cumulusnetworks.com>	Fri Mar 11 16:28:34 2016 -0500
committer	Donald Sharp <sharpd@cumulusnetworks.com>	Fri Mar 11 18:29:14 2016 -0500
tree	738345e0c3121f329266e8b8faaa88661e7cdb2e
parent	e3f623be8b6556db9d70c2fc5d3c2b152f36dc1d [diff]