From 0d4cbb18761cc7e8bcca30274e13762084bf3726 Mon Sep 17 00:00:00 2001
From: Divakar D <ddivakar@juniper.net>
Date: Thu, 15 Sep 2016 16:45:32 +0530
Subject: [PATCH] Validate MAC size before accessing MAC in bridge table
 configs

Currently when Agent sends a bridge table add/delete/dump request
it sends MAC address in "route" sandesh structure. Vrouter is accessing
the rtr_mac field from sandesh decoded structure without validating if
rtr_mac is passed by Agent or not. If Agent does not send this field,
Vrouter crashes as we are accessing NULL pointer.

As a fix, the mac size is validated before accessing the mac.

Change-Id: I89f03e0f5a95b051361f3b242bbeef891fe93144
closes-bug: #1623896
---
 dp-core/vr_bridge.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dp-core/vr_bridge.c b/dp-core/vr_bridge.c
index 4520ca8d9..4aa151631 100644
--- a/dp-core/vr_bridge.c
+++ b/dp-core/vr_bridge.c
@@ -145,6 +145,9 @@ bridge_table_add(struct vr_rtable * _unused, struct vr_route_req *rt)
     if (!vn_rtable)
         return -EINVAL;
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     if (IS_MAC_ZERO(rt->rtr_req.rtr_mac))
         return -EINVAL;
 
@@ -195,6 +198,9 @@ bridge_table_delete(struct vr_rtable * _unused, struct vr_route_req *rt)
     if (!vn_rtable)
         return -EINVAL;
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     VR_MAC_COPY(key.be_mac, rt->rtr_req.rtr_mac);
     key.be_vrf_id = rt->rtr_req.rtr_vrf_id;
 
@@ -371,6 +377,9 @@ bridge_table_dump(struct vr_rtable * __unsued, struct vr_route_req *rt)
         goto generate_response;
     }
 
+    if (rt->rtr_req.rtr_mac_size != VR_ETHER_ALEN)
+        return -EINVAL;
+
     mac = (char *)(((vr_route_req *)(dumper->dump_req))->rtr_mac);
     if (!mac) {
         ret = -EINVAL;