quagga: Remove double read of stream

The addition of a MIN(X,Y) with a stream_getc in the Y
causes a double read of the stream due to the way that
MIN is defined.

This fix removes a crash in all protocols.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/bgpd/bgp_zebra.c b/bgpd/bgp_zebra.c
index bee1a947..d0b9216a 100644
--- a/bgpd/bgp_zebra.c
+++ b/bgpd/bgp_zebra.c
@@ -238,6 +238,7 @@ zebra_read_ipv4 (int command, struct zclient *zclient, zebra_size_t length,
   struct zapi_ipv4 api;
   struct in_addr nexthop;
   struct prefix_ipv4 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   nexthop.s_addr = 0;
@@ -250,7 +251,8 @@ zebra_read_ipv4 (int command, struct zclient *zclient, zebra_size_t length,
   /* IPv4 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv4));
   p.family = AF_INET;
-  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV4_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */
@@ -314,6 +316,7 @@ zebra_read_ipv6 (int command, struct zclient *zclient, zebra_size_t length,
   struct zapi_ipv6 api;
   struct in6_addr nexthop;
   struct prefix_ipv6 p;
+  unsigned char plength = 0;
 
   s = zclient->ibuf;
   memset (&nexthop, 0, sizeof (struct in6_addr));
@@ -326,7 +329,8 @@ zebra_read_ipv6 (int command, struct zclient *zclient, zebra_size_t length,
   /* IPv6 prefix. */
   memset (&p, 0, sizeof (struct prefix_ipv6));
   p.family = AF_INET6;
-  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
+  plength = stream_getc (s);
+  p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, plength);
   stream_get (&p.prefix, s, PSIZE (p.prefixlen));
 
   /* Nexthop, ifindex, distance, metric. */