-
Bug
-
Resolution: Done
-
Medium
-
None
-
None
-
None
The generated code for the following message
autoendian autoreply define sw_interface_set_tx_placement
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index;
u32 queue_id;
u32 array_size;
u32 threads[array_size];
};
Outputs the following,
static inline void vl_api_sw_interface_set_tx_placement_t_endian (vl_api_sw_interface_set_tx_placement_t *a) { int i __attribute__((unused)); for (i = 0; i < a->array_size; i++) { a->threads[i] = clib_net_to_host_u32(a->threads[i]); } a->_vl_msg_id = clib_net_to_host_u16(a->_vl_msg_id); /* a->client_index = a->client_index (no-op) */ a->context = clib_net_to_host_u32(a->context); vl_api_interface_index_t_endian(&a->sw_if_index); a->queue_id = clib_net_to_host_u32(a->queue_id); a->array_size = clib_net_to_host_u32(a->array_size); }
As a consequence, we are reading an insanely big (a->array_size) array and end up segfaulting further in VPP.