ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vppinfra: fix random buffer OOB crash with ASAN

Browse Source 
Don't truncate with vec_set_len bytes before they can be used. When
built with ASAN, it these bytes are poisoned and trigger SIGSEGV when
read.

Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: I912dbbd83822b884f214b3ddcde02e3527848592
This commit is contained in:
Dmitry Valter
2023-01-22 13:09:15 +00:00
committed by Dmitry Valter
parent 6a782ca3b0
commit 3b5ab65bd3
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/vppinfra/random_buffer.h
View File

@ -54,6 +54,9 @@ typedef struct
/* Random buffer. */
uword *buffer;
/* An actual length to be applied before using the buffer. */
uword next_read_len;
/* Cache up to 1 word worth of bytes for random data
less than one word at a time. */
uword n_cached_bytes;
@ -84,6 +87,11 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes)
{
uword n_words, i, l;
if (b->buffer)
vec_set_len (b->buffer, b->next_read_len);
else
ASSERT (b->next_read_len == 0);
l = b->n_cached_bytes;
if (n_bytes <= l)
{
@ -100,7 +108,7 @@ clib_random_buffer_get_data (clib_random_buffer_t * b, uword n_bytes)
clib_random_buffer_fill (b, n_words);
i = vec_len (b->buffer) - n_words;
vec_set_len (b->buffer, i);
b->next_read_len = i;
if (n_bytes < sizeof (uword))
{