forked from Mirror/frr
lib: cli: don't run off graph "pre-end"
Behind END_TKN, there is another graph node whose data pointer is actually struct cmd_element instead of struct cmd_token. Don't try to interpret that as cmd_token. This causes very interesting crashes when ASLR decides to give one of the strings of a command definition a lower 32-bit value that is a valid cmd_token_type (e.g. FORK_TKN). Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
This commit is contained in:
parent
9b0a8efa46
commit
5225e155d3
|
@ -385,7 +385,6 @@ static void cmd_node_names(struct graph_node *gn, struct graph_node *join,
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case START_TKN:
|
case START_TKN:
|
||||||
case END_TKN:
|
|
||||||
case JOIN_TKN:
|
case JOIN_TKN:
|
||||||
/* "<foo|bar> WORD" -> word is not "bar" or "foo" */
|
/* "<foo|bar> WORD" -> word is not "bar" or "foo" */
|
||||||
prevname = NULL;
|
prevname = NULL;
|
||||||
|
@ -405,6 +404,9 @@ static void cmd_node_names(struct graph_node *gn, struct graph_node *join,
|
||||||
cmd_token_varname_set(tailtok, jointok->varname);
|
cmd_token_varname_set(tailtok, jointok->varname);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case END_TKN:
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < vector_active(gn->to); i++) {
|
for (i = 0; i < vector_active(gn->to); i++) {
|
||||||
|
|
Loading…
Reference in a new issue