commit 5e57b5fc621300427d3818f0723b8cd8d5e5ca6a
author Donald Sharp <sharpd@cumulusnetworks.com> Fri Mar 11 16:28:34 2016 -0500
committer Donald Sharp <sharpd@cumulusnetworks.com> Fri Mar 11 18:29:14 2016 -0500
tree 738345e0c3121f329266e8b8faaa88661e7cdb2e
parent e3f623be8b6556db9d70c2fc5d3c2b152f36dc1d

quagga: Remove double read of stream

The addition of a MIN(X,Y) with a stream_getc in the Y
causes a double read of the stream due to the way that
MIN is defined.

This fix removes a crash in all protocols.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

bgpd/bgp_zebra.c

diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c
index bee1a94..d0b9216 100644
--- a/bgpd/bgp_zebra.c
+++ b/bgpd/bgp_zebra.c
@@ -238,6 +238,7 @@
   struct zapi_ipv4 api;
   struct in_addr nexthop;
   struct prefix_ipv4 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   nexthop.s_addr = 0;
@@ -250,7 +251,8 @@
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
@@ -314,6 +316,7 @@
   struct zapi_ipv6 api;
   struct in6_addr nexthop;
   struct prefix_ipv6 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   memset (&nexthop, 0, sizeof (struct in6_addr));
@@ -326,7 +329,8 @@
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */