ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl: fix the integer overflow bug in API message length validation logic

Browse Source 
Sending the bogus acl_add_replace message with count=~0 will result in
an overflow of "expected_len" field which is a u32, thus the message
will pass the validation when it should not.

Solution - make the expected_len a u64 to avoid overflow.

The bug was found while experimenting with libfuzzer as part of
https://gerrit.fd.io/r/c/vpp/+/31763

Type: fix
Change-Id: I4a866d48f2418148236f1b1d77c487b869c7c43d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
This commit is contained in:
Andrew Yourtchenko
2021-03-25 14:13:47 +00:00
committed by Matthew Smith
parent abd8b36d19
commit 22af286a29
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/plugins/acl/acl.c
View File

@@ -1772,7 +1772,7 @@ macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
*
*/
static int
verify_message_len (void *mp, u32 expected_len, char *where)
verify_message_len (void *mp, u64 expected_len, char *where)
{
u32 supplied_len = vl_msg_api_get_msg_length (mp);
if (supplied_len < expected_len)
@@ -1796,7 +1796,7 @@ vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
int rv;
u32 acl_list_index = ntohl (mp->acl_index);
u32 acl_count = ntohl (mp->count);
u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
if (verify_message_len (mp, expected_len, "acl_add_replace"))
{
@@ -2085,7 +2085,7 @@ vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
int rv;
u32 acl_list_index = ~0;
u32 acl_count = ntohl (mp->count);
u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
if (verify_message_len (mp, expected_len, "macip_acl_add"))
{
@@ -2112,7 +2112,7 @@ vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
int rv;
u32 acl_list_index = ntohl (mp->acl_index);
u32 acl_count = ntohl (mp->count);
u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
if (verify_message_len (mp, expected_len, "macip_acl_add_replace"))
{