ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libmemif: verify length of transmitted buffers

Browse Source 
In memif_tx_burst verify that total buffer size
(data_offset + data_len) does not exceed buffer
size. If not valid returns MEMIF_ERR_INVAL_ARG.

Type: fix

Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: Ifae8f92344a401febbc1efd22c301356ccf83d44
This commit is contained in:
Jakub Grajciar
2021-03-01 08:54:35 +01:00
committed by Damjan Marion
parent 3d019a541c
commit cef0cc1a07
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
extras/libmemif/src/main.c
View File

@ -2496,11 +2496,12 @@ memif_tx_burst (memif_conn_handle_t conn, uint16_t qid,
data_offset = b0->data - (d->offset + c->regions[d->region].addr); data_offset = b0->data - (d->offset + c->regions[d->region].addr);
if (data_offset != 0) if (data_offset != 0)
{ {
/* verify data offset */ /* verify data offset and buffer length */
if ((data_offset < 0) || if ((data_offset < 0) ||
(data_offset > (d->offset + offset_mask))) ((data_offset + b0->len) > c->run_args.buffer_size))
{ {
printf ("%ld\n", data_offset); DBG ("slot: %d, data_offset: %d, length: %d",
b0->desc_index & mask, data_offset, b0->len);
err = MEMIF_ERR_INVAL_ARG; err = MEMIF_ERR_INVAL_ARG;
goto done; goto done;
} }